Understanding your rights when your personal data is exposed.

Nowadays, our personal data is everywhere: online shops, social media networks, healthcare providers, employers and more. Each of these organisations has an obligation to protect your data. If they fail and your personal information is exposed in a data breach, you have the right to hold them accountable. This guide explains the key concepts involved and your rights as the victim of a breach.

What does "personal data" mean, legally speaking?

As far as the law is concerned, personal data is any information that can be used to identify a living person, either directly or indirectly. This is broader than you might think, and includes:

• Direct identifiers: Name, address, phone number, email address.
• Official identifiers: National Insurance number, passport number, driving licence number.
• Financial data: Bank account details, credit/debit card numbers.
• Online data: IP addresses, cookie identifiers, location data.
• Special category data: This is more sensitive data that requires extra protection, including your race or ethnicity, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, and sex life or sexual orientation.

How serious is a personal data breach?

Not all breaches are the same. The impact can range from minor annoyance to life-altering consequences. There are no legal rules on what constitutes a minor versus a major breach, as the impact is judged on a case-by-case basis, but the following examples illustrate how different breaches present different risks.

Low impact

Example: Someone uses CC instead of BCC in a group email, revealing your email address to all recipients.

The risks: Annoyance, potential for spam. Minimal distress.

Medium impact

Example: A marketing company leaks a list of customer names and email addresses from a campaign.

The risks: Phishing attempts, unwanted contact. Moderate distress and inconvenience.

High impact

Example: An ecommerce site is hacked, exposing financial details, passwords, and personal information.

The risks: A high chance of fraud or identity theft. Significant distress and financial loss.

Extreme impact

Example: A leak of sensitive medical records or information that could put someone in physical danger.

The risks: Blackmail, identity theft, reputational damage. Severe distress and psychological harm.

What are my rights if my data has been exposed?

Discovering that your personal information has been involved in a data breach can be alarming. However, UK data protection law gives you specific rights to help you understand what has happened and take action to protect yourself.

The right to be informed

If the data breach is likely to result in a "high risk" to you, the organisation must inform you directly and without undue delay, explaining what happened, what data was involved, and what steps you should take to protect yourself.

The right of access

You have the right to ask the organisation for a copy of the personal data they hold about you (a Subject Access Request), which can help you confirm exactly which information may have been exposed in the breach.

The right to erasure

In certain circumstances, you can ask an organisation to delete your personal data, for example if they no longer have a legitimate reason to keep it.

The right to complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe an organisation has failed to protect your data, mishandled a breach, or violated your rights.

The right to compensation

If you have suffered damage as a result of a data protection breach, you have a right to claim compensation from the organisation responsible. This includes compensation for tangible financial losses (material damage) as well as distress, anxiety, or other emotional harm caused by the breach (non-material damage).

Legal terminology about data breaches, in plain English