Your Data Rights and Right to Compensation

Under the UK’s data protection law, there are 7 main rights afforded to you. These rights pertain to many aspects of your data sovereignty, including your right to access, right to rectification, right to be forgotten, right to restrict processing, your right to portability and your right to object.

As well as these personal rights, organisations and other parties are also, among other things, obligated to take the adequate steps to protect your information, whilst also providing you with relevant information regarding how your information is going to be used, for what purpose, and for how long the data is going to be kept.

Despite these protections and rights afforded to you, failures to adequately protect personal data happen frequently and the consequences of these violations can be both damaging and distressing for the affected data subjects. So, How Much Compensation for Breach of Data Protection Act?

When are you Entitled to Compensation?

If for whatever reason you have suffered damage as a result of an organisation or individual breaking data protection law, this provides you with the right to claim compensation. In this context ‘damage’ can apply to both material (loss of money) and non-material (distress incurred) harm damage caused to you.

Do Data Breach Claims Have to Go to Court?

Though the information commission can provide input as to if a party has broken data protection law, the ICO cannot award compensation or force any organisation to provide any sort of payment to you.

If you believe that your data protection rights have been breached, your first step in claiming compensation would be to seek independent legal advice for one of the many experts who work in this area.

If your legal advice agrees that you are likely to be entitled to compensation, they will attempt to make a claim against the party on your behalf. Only if an agreement is not made between the two parties, will a claim will proceed to court in order to be heard, ruled upon and thus potentially reach the point of awarded compensation.

Following a failure to reach an agreement, the opposing party should be informed before any attempt is made to begin court proceedings i.e. explicitly telling them you intend to go to court. Depending on your location and the individual court systems, you may also be obliged to follow certain pre-action protocols.

Once a claim has been accepted, the court will want to know what steps have been taken to previously settle the issue, which means copies of any previous communications will be required for documentation purposes.

How Much Compensation for Breach of Data Protection Act?

How much compensation for breach of data protection act will ultimately be up to the judge hearing the case. In this decision several elements and circumstances will be considered, including the seriousness of the infringement as well as the impact upon you, especially when assessing the degree of non-material distress you have suffered.

On the spectrum of seriousness, in regard to violation of the Data Protection Act, compensation can range from hundreds of pounds up to many thousands. A court will likely also take into account whether the failure to adequately protect data is a single instance, or a pattern of behaviour which shows a disregard for the security of personal data that has led to a breach.

Although you may indeed be awarded compensation as a result of a successful claim, if you fail to adequately demonstrate distress or damage incurred, the court may award no compensation, and you may be ordered to pay the other party’s cost. Depending on the agreement you have with your legal representation, you may or may not be personally responsible for this.

Though not always, some of the time these cases are on a ‘no-win, no-fee’ basis, so be advised a fee may be taken in the event of compensation being awarded.

General Data Protection Regulation – GDPR

Data protection is an area of law which has seen a great deal of global development in recent years, particularly with the introduction of the EU’s General Data Protection Regulation 2018 which now governs all organisations across Europe working with personal data.

Designed to address two decades of technological advancement, the GDPR was integrated into UK law as the Data Protection Act 2018, while supplementing and advancing many of the principles already established in the DPA 1998.

What Does the Data Protection Act Do?

The DPA fulfils several important purposes, but chiefly governs how your personal information is used by organisations, businesses, or the government. This Act ensures that personal data is used fairly and lawfully, for specific and explicitly stated purposes, accurate and up to date, appropriately retained and handled in a secure and appropriate manner.

Types of Personal Data

Under the DPA, what can be categorised as ‘personal data’ is particularly broad as to make the legislation an appropriate tool for dealing with the digital age. The legislation also has stronger legal protections for ‘special category’ information which is considered the most sensitive type of personal information, which includes data pertaining to;

  • Race
  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Genetics
  • Biometrics
  • Health
  • Sexual orientation

As well as this, this the DPA 2018 also affords the aforementioned rights to all citizens. Essentially this legislative update is allowing individuals a guaranteed level of control of their own data, whilst also providing a framework in which data can be adequately safeguarded across Europe and other sufficiently GDPR compliant territories.

Failure to comply with these data protection standards means organisations can be liable to provide compensation to ‘data subjects’ (the individuals the data relates to) who have incurred either damage or destress as a result of a DPA violation.

Organisations that fail to comply may also be fined significant amounts by the relevant territorial authorities. In the UK, the Information Commissioner’s Office may hand out fines that are equivalent to 4% of an organisation’s turnover or €20 million, whichever is greater.

Role of the Information Commissioner’s Office

Regarding you data protection rights, you can make complaints directly to the ICO and they may be able to give you their opinion as to whether data protection regulation has been broken. Although you will be able to pass any advisory correspondence as evidence in court, the ICO is not ultimately responsible for the court’s decision, nor will it likely give you an indication of how much compensation for breach of data protection act will be.

Despite only being relevant to a minority of complaints, you should be aware that “Section 175 of the DPA 2018 entitles [the ICO] to reclaim any expenses [they] incur in giving you assistance from: any costs the court awards to you, or any sum payable to you under an out-of-court settlement.”