The Ultimate Guide to a Data Breach

In today’s digital age, we don’t seem to go very long without another big organisation hitting the headlines for exposing personal data. Of course, data can be used to describe a plethora of information such as numbers, words, measurements, descriptions etc. And today, businesses of all types and sizes use such data to make decisions, inform their operations, and provide a service to their customers.

However, when we talk about a data breach, we are discussing a particular category of information – that of personal data. And the repercussions of a breach can be both severe and delayed, sometimes not fully manifesting for years.

In this handy guide, the data protection experts at Keller Lenkner UK provide an insight into the impact of a data breach, what you can do to stay safe following a privacy violation, and how to get justice for the breach of your rights.   

What is a data breach?

A data breach happens when an individual’s personal data is accessed, stolen, published, or otherwise used without their authorisation.

Crucially, a breach can have a range of adverse effects on individuals, including emotional distress and financial losses. And, despite fears about cybercrime, human error is still the biggest cause of data protection breaches.

There are several ways a data breach could occur, for example:

What is personal data?

Personal data is any information about a person that could be used to identify them, either on its own or in combination with other information. For example, a name, email address or even an IP address.

Personal data also includes extremely sensitive information such as medical records, details about a person’s political or religious leanings, and criminal convictions.

Personal data is valuable

Your data has value, so it is only right that you should decide who can access and use it.

Big tech giants like Facebook and Google have made billions exploiting personal data to sell advertising, while credit reference agencies are also making a huge profit selling personal data for marketing purposes.  We all know the well-worn cliché “If you are not paying for it, then you are the product”, so, it is perhaps no surprise that:

The data of almost every adult in the UK has been screened, traded, profiled, enriched, or enhanced to provide direct marketing services[1] .

While the use of our data for marketing may be problematic, there is another problem, as, following a data breach, people’s details are often found for sale on the dark web – often for just a few pounds. With cybercriminals frequently using this data for targeted phishing attacks and extortion, we should not underestimate the damage that can be done with this information should it get into the wrong hands.

Data protection legislation

The Data Protection Act 2018 (the UK’s interpretation of the General Data Protection Regulation), places obligations on organisations that use your personal data to ensure that it is not monetised, exploited, or otherwise used without your consent. 

The Data Protection Act 2018


The Data Protection Act 2018 controls how organisations, businesses, and the government can use your personal information. The Data Protection Act is the UK’s implementation of the General Data Protection Regulation (GDPR).


General Data Protection Regulation (GDPR)


The General Data Protection Regulation is an EU regulation law on data protection and privacy. Despite Brexit, all UK organisations must comply with the GDPR. In the UK, the Data Protection Act is the UK’s interpretation of the GDPR.

What is the ICO?

The Information Commissioner’s Office (ICO) is the UK’s data protection watchdog regulator. It protects your information rights and data privacy. And it helps organisations to meet their data protection obligations.

If your personal information is involved in a data breach, you can ask the ICO to investigate why this happened.

Importantly, the ICO can impose substantial fines on organisations in breach of their data protection responsibilities. For example, in 2020 the ICO individually fined Marriott International £18.4 million, British Airways £20 million, and Ticketmaster £1.25 million for failing to keep their customers’ personal data secure.

However, the ICO does not award compensation to individuals, so it is vital to appoint an expert lawyer to get the compensation you deserve following a data breach. Your solicitor will use evidence uncovered by the ICO to support your data protection compensation claim.

How do I know if my data has been breached?

To avoid falling foul of data protection rules, organisations MUST tell you if they have breached your personal data “without undue delay”. However, in reality, this does not always happen.

If you suspect your data has been breached, but you have not heard from the company you think failed to protect it, you can make a subject access request (SAR) to find out if your information was involved in a privacy violation. You can also contact the ICO if an organisation fails to respond to a SAR, or if it does not do so adequately.

What should I do if my data has been breached?

Victims of data breaches often become the target of cybercriminals. So, following a privacy violation, before you do anything else, it is essential to take steps to keep yourself safe.

As well as following any security instructions provided by the organisation that breached your data, here are some top tips to prevent the impact of a data breach from escalating.

Protect your finances

  • Contact your bank/credit card provider ASAP if your financial data has been exposed. They will provide advice on what to do next.
  • Check all bills, statements and emails for unfamiliar transactions and alert your bank/credit card provider immediately if there is any suspicious activity.
  • Call the credit reference agencies (Credit, Experian, and Equifax) to ensure criminals do not take out credit in your name. You should also monitor your credit score for any unexpected dips.
  • Do not provide your PIN or full password to anyone (even someone claiming to be from your bank).
  • Do not been pressured into moving money to another account “for fraud reasons”. A legitimate financial organisation will not ask you to do this.

Watch out for scammers trying to extract further
information from you

  • Do not assume an email, letter, text, or phone call is authentic just because someone has your details. They could have got hold of these in the data breach.
  • Beware of scare tactics that try to trick you into revealing your security details, or which encourage you to act in a way that puts you in danger. A responsible organisation will not force you to make a financial transaction then and there.
  • Know that cybercriminals can make a phone call or email appear to come from a trusted person/organisation. You can always contact the organisation in question on a number you know and trust to check if a communication is genuine.
  • Listen to your instincts in case anything feels “off” and stop any discussions if you feel at all unsure.
  • Beware any communications that refer you to a web page asking for personal data.
  • Do not click on any suspicious links or downloads in emails or texts.
  • Do not accept friend requests from people you do not know on social media and review your online privacy settings.
  • Victims of scams and financial/identity fraud should also contact Action Fraud to report their losses.

Put some data protection practices in place

  • Register with the Cifas protective registration service to slow down any credit applications made in your name.
  • Change your passwords and do not use the same password for more than one account (a password manager can help with this).
  • Protect your devices with up-to-date internet security software.
  • Use 2FA and other security measures where available.

Once you have taken the necessary steps to protect yourself from harm, you should consider making a data breach compensation claim.

How do I start a data breach compensation claim?

If you discover you are involved in a data breach, you should start a compensation claim. To do this, contact Keller Lenkner UK for a free assessment of your case. We will talk you through your options and explain everything in plain English.

You should also make a note of what happened ASAP, and the impact on you as this could provide valuable evidence in court. This includes things like:

  • Evidence that you made a purchase with the defendant or used the defendant’s services during the data breach period. This could be in a confirmation email, a booking reference, or accessible by logging into your online account (if you have one). You might even be able to trace this on a bank statement.
  • Evidence that you were a client/user of the defendant’s during the data breach period (e.g. where you did not make a purchase, but your details were kept on file).
  • Evidence that your details have been affected (e.g. correspondence from the defendant confirming that your data was breached).
  • Evidence of any financial losses, distress, and/or inconvenience you have suffered because of the data breach. For example:
    • bank statements showing any losses
    • correspondence (letters, emails, etc.) with banks, credit card providers, credit reference agencies, etc.
    • credit score reports (with dates of any dips)
    • details about medical appointments/prescriptions that relate to this data breach
  • evidence of any fraudulent transactions, scam attempts, cancelled cards that relate directly to the data breach.
  • Anything else that could be used to support your data breach claim.

What is a group action data breach?

In some cases, where a data breach occurs, you will not be the only victim. In these instances, you might be able to join a group action claim. Because there is strength in numbers, a group action (also called a class action or multi-party action) helps to even the playing field between large organisations and individual claimants. So, a group action usually makes a big organisation take the matter more seriously. This increases the chances of success for the claimants.

Data breach group action claim process

Inform the ICO

Tell the ICO about the data breach. If the ICO goes on to investigate the organisation, you can use any evidence uncovered to support a data breach compensation claim.

Appoint a data breach solicitor

Contact an expert data protection solicitor for a free consultation. They will talk through what has happened to you, advise you on whether you have a winnable case, and go through your options.

Start the claims process

Your data breach lawyer will investigate your case, gather any evidence, complete the relevant paperwork, and file the necessary court forms on time.

Try to reach a settlement

The judge will want to know what steps you have taken to settle your case before taking your claim to court. So, your data breach lawyer will write to the defendant to discuss a settlement.

Go to court

If a settlement cannot be reached, your case will progress to court.

How much data breach compensation will I get?

There are no set amounts awarded for a data breach claim. If you go to court, the judge will consider all the circumstances, including the seriousness of the breach and the impact on you. However, it is important that your data breach solicitor knows what to claim for. Inexperienced solicitors might not understand the full and lasting impact a data breach can have on a person.

Each case is judged on its own merits, but there are some things to consider when claiming compensation for a data breach.

What we might claim for:

Financial Losses

With stolen personal data, criminals can buy things using your bank and credit cards, apply for credit in your name, set up illegal bank accounts and log in to your existing online account.

What this might involve:

Any money lost (e.g. if a criminal made a purchase using your bank card or stole funds from your account).

Any loss of earnings as a direct result of the breach (e.g. if you needed time off work or lost your job because of the impact of the breach).

The loss of future earnings (e.g. if you had to drop out of university).

Any expenses that you had to pay because of the data breach (e.g. private medical care, travel expenses, accommodation, etc.).


A data breach can have a considerable impact on you, both mentally and physically. It is not unusual for a data breach to cause or exacerbate anxiety, stress, and other psychological conditions.

What this might involve:

Stress, worry, and anxiety.

Any recognised psychological injury.

The effect that the leak had on your social and home life.

Loss of privacy

Your data is valuable, and organisations must be held to account if they do not uphold their data protection responsibilities towards you.

What this might involve:

The loss of privacy itself.

The full impact of a data breach is often not felt until months after the initial violation, so it is vital that your solicitor also takes a long-term view when it comes to claiming compensation on your behalf.

How to choose a data breach solicitor

To ensure your data breach claim is successful, you must get professional legal representation. But choosing a solicitor can be daunting. Not least because – should you get it wrong – your decision could be a costly mistake.

If you are the victim of a data breach, what should you look out for when choosing a lawyer?

Data Protection Expertise

If you want to secure justice for a data privacy failure, you need a specialist data breach legal team. Especially as large organisations appoint their own data breach specialist defendants to make the problem go away.

Group Action Expertise

When it comes to winning cases against big players, understanding the law is only half the battle. You also need experience in group action cases. Make sure your solicitors have significant experience in compensation work. This will ensure they understand what it takes to go up against big players and win.


For law firms without the necessary resources, it can be difficult to justify the time required when the other side deliberately drags out cases. The last thing you want is to appoint a firm that will run out of steam.


When it comes to negotiating with defendants in data breach cases, a formidable reputation can go a long way.

What should I ask to ensure I do not end up paying too much?

One of the things that worries people the most about making a data breach claim is that they might have to pay expensive solicitor fees. However, it is possible to make a no-win, no-fee data breach compensation claim with a professional solicitor. But what does no-win-no-fee mean? And how can you be sure that there are no hidden charges or unexpected costs?

Here are three quick questions to ensure you know what it will cost you.

Do you provide a free consultation?

Most data breach lawyers provide a free consultation to make sure they can help you before asking for any money. But it is always worth checking.

Will my claim be no-win,

To ensure data privacy rights are protected, everyone should be able to claim if they have been let down. Cost should not be a barrier to justice. No-win, no-fee means that, if your claim is not successful, you will not have to pay a penny towards your case. Before appointing any data breach solicitor, you must ask how much you will pay if you do not win your case.

How much will I pay
if I win?

If your claim is successful, you usually contribute towards your solicitor’s costs. This is called a ‘success fee’. It is taken from the compensation awarded to you, and it can be much higher than you expect. Make sure you understand all the potential costs before you proceed.

Why choose Keller Lenkner UK as your data protection lawyer?

When it comes to legal support, big organisations have deep pockets. And they are smarter and better resourced than ever before. So, it can be difficult for some law firms to stand up to such strength if they do not have data breach expertise or the resources to take the big players on.

At Keller Lenkner UK, we do not just even the score – we take the fight to them.

Our data breach team has the legal expertise and resources necessary to take on the corporate giants. What is more, the strength and means of our firm ensure that we never have to back down from a challenge. And with access to whatever resource we need – be that time to go the long-haul or the expertise to delve deep into the evidence – we have everything it takes to win.


For more tips on how to keep your data safe, follow us on Twitter and Facebook. 

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to discuss your case in more depth.