Personal information exposed after a data breach? Here’s what you can do

grayscale photo of black and white wooden sign

A personal data breach occurs when protected personal data is inadvertently or purposefully deleted, lost, changed, disclosed, or accessed without authorization, typically as a result of a digital security event

The most common personal data breaches are those in which an unauthorized third party, such as a hacker, has gotten access to private digital files. Another example of a data security breach is when technology carrying personal data is lost or stolen.

However, it also counts as a personal data breach when firms transfer your personal information to someone else without your permission or when your data is updated without your permission.

If you discover that an organization has lost your personal data as a consequence of a breach, you can take action to protect yourself and, in certain situations, seek compensation. To help you understand your rights and the steps you need to take if you have been the victim of a data breach, we have put together a list of questions and answers. Continue reading to find out more. 

Which type of personal data do businesses keep?

Companies require your personal data for a variety of things. Ecommerce and subscription websites, for example, will need your name, address, and payment information, but information such as phone number, email address, and passwords are also considered sensitive data that should not be disclosed without your permission. 

Here is the most common data that gets leaked in breaches:

  • Name
  • Address
  • Date of birth
  • Email address
  • Phone number(s)
  • Credit card details
  • Bank information
  • Passwords

These are, of course, just some examples. As a rule of thumb, any type of information that can be used to identify you is protected by GDPR. This can also include GPS data from your phone or computer, IP address, facial images, fingerprints, sexual orientation, ethnic and racial origins, as well as trade union membership. 

What should a company do in case of a data breach?

If a firm loses your personal data as a consequence of a data breach, the organization must follow data protection protocols.

According to experts from, if there is a severe breach of your personal data that is likely to put your rights and freedoms at risk, the corporation is required under the Data Protection Act 2018 (GDPR) to notify you without undue delay.

Following a breach, the organization must assess the likelihood and severity of the harm to your freedom and personal data rights.

Ideally, if you have fallen victim to a data breach, the company at fault should inform you of the following:

  • the name and contact information for the data protection officer or another person of contact who may give more details on the matter
  • an explanation of the possible repercussions of the compromise of personal data
  • a description of the steps taken or intended to be taken, to deal with the personal data breach, including, if applicable, those taken to minimize any potential negative consequences

What should I do if I get notified of my data being exposed?

If you have been notified that your data was exposed to malicious parties, you should take some steps to minimize the risks. These steps include:

Change all your passwords

If your data has been stolen and you use the same or similar login credentials – such as passwords and usernames – for other websites or online accounts, you should immediately update those details.

Ideally, a strong password should contain at least 8 characters. Don’t include your name, username, or business name in your password, make sure each password is unique, and don’t forget to include combinations of letters, numbers, and symbols as well. 

Check your bank accounts constantly

Over the following several months, you should keep a tight check on your bank accounts and other internet accounts, especially if you suspect the breach involves any financial information or information that a fraudster may use to commit identity theft.

If you see anything out of the ordinary, call your bank immediately and explain that you have been a victim of fraud.

Be ready for potential scams

If you are called over the phone by someone requesting personal information or passwords (such as those for your bank account), take efforts to verify their genuine identity.

Ask whether they can provide you with information that only the firm they claim to be phoning from is aware of. For example, the terms of your service contract or the amount you pay each month.

If you are still concerned about the caller’s identity, hang up and contact the firm again.

Can I claim compensation for data breach? 

The Data Protection Act of 2018 (GDPR) requires organizations to keep your data safe. This implies companies must take steps to avoid unauthorized or illegal handling of your personal data. They must also secure your personal data from unintentional loss, destruction, or damage.

If your data is lost and it causes you financial harm or anguish, you may be entitled to sue the organization that lost it for compensation.

Make a complaint to the company that is responsible for the situation

If you’ve experienced emotional or financial harm as a consequence of your data being hacked, the first step is to notify the organization you feel is to blame. Outline your suffering and losses, as well as how you want them to recompense you. 

File a complaint to the Information Commissioner’s Office (ICO)

You can also complain to the ICO about how the organization handled your data. The ICO is not permitted by law to award compensation or provide recommendations on the amount of compensation that should be paid, even if it has said that the organization did, in its opinion, violate the GDPR. However, its viewpoint may be crucial in your lawsuit against the organization that has violated your data.

Make a claim in the small claims court

If you and the organization that compromised your data cannot agree on whether or not you are entitled to compensation, you can file a claim in small claims court. If the ICO agreed with you that the GDPR was violated, it would be a useful piece of evidence to present in court.

To make sure your case is successful and your claim is handled in the best possible way, we recommend hiring a lawyer that is specialized in data breach claims. They will make sure you follow all procedures and get the right legal solution.