Following the introduction of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”) in May 2018, we are seeing more and more cases now where the disclosure of personal data leads to personal injury and loss, and where claimants can therefore be successful in obtaining compensation for these losses.

Compensation for distress and anxiety / psychological injury can be difficult to claim in most situations and areas of law.

However, the law in respect of breaches of personal data under the DPA makes it clear that:

• Where a personal data breach as defined in Article 4 of the GDPR has taken place which has led to the unauthorised disclosure of, or access to, a person’s personal data; and
• that person has suffered damage as a result;
• then they are entitled to compensation for that damage.

Therefore, a person can bring a private, civil claim against another party, where a breach of their personal data has taken place, independently of any sanction that the Information Commissioner’s Office (ICO) may impose for that breach.

Whether a person can claim compensation or not depends very much upon the facts and circumstances of each case, taking into account:

• the nature of the personal data breach (what has been disclosed and to who); and 
• what impact that breach has had upon the person in question.

For example, if a person’s medical history has been disclosed to another party in error, and not to assist the well-being of that person, it is foreseeable that that person may suffer distress and anxiety as a result of the knowledge that the other party now has information that is personal to them, and that they may impart that knowledge to others causing further distress and anxiety.

Another example is when a person’s location is made known to another party who may pose a threat or a risk to that person, then it is clear that this breach would cause distress and harm.

These examples are different to situations where the disclosure of a person’s date of birth to another, unintended party, which, whilst still a breach in certain circumstances, may not cause a person distress and anxiety and have no, or no great, impact upon that person whose data has been disclosed.

• Compensation for distress and anxiety and, in some cases, where the breach of personal data is such it has caused a recognised psychological condition such as depression, compensation for the personal injury / illness caused.
• The cost of any private or medical treatment such as counselling or prescriptions for medication as a result of the psychological damage caused has warranted that treatment.
• Lost earnings if the damage has been such that the person has had time off work or even if they have had to leave their employment.
• Travel expenses for having to attend to medical treatment providers, for example.
• Any other financial losses that may have been incurred as a result of the breach and damage subsequently caused.

It is important therefore that if you have either been the subject of a personal data breach, or if you were the person / party responsible for that breach taking place, that you take any potential claim seriously and, where appropriate, notify your insurer accordingly and take legal advice as to how to proceed.

If you would like any further information or assistance on this matter where a data breach has taken place that results in personal injury and loss, please contact Louise Plant via email: lplant@prettys.co.uk or call to make an enquiry: 01473 793290