Skip to main content
Home

What steps should I take if I have experienced a data breach?

Contents

1. What can I do?

It’s natural to want to know what’s happened to your personal information. We understand that this can be distressing, but there are many things you can do. If you have been made aware of, or discovered a data breach, you can contact the organisation and ask them to explain:

  • what has happened;
  • what information has been affected; and
  • what steps they plan to take to protect your information. 

The organisation should be able to: 

  • confirm if your information has been compromised;
  • listen to how this affected you; and
  • advise on what further steps you can take. 

We have further advice on making a data protection complaint to an organisation, as well as a useful template on our how to make a data protection complaint to an organisation page.

2. What will the organisation do?

The organisation should reply to you within one month. You should try to keep a record of any contact you have with them. If you speak to them over the phone make a note who you spoke to and when, it may help to also follow this up in writing, so you have evidence to support your concern.

It may take some time for the organisation to look into what’s happened. Don’t be afraid to chase politely if you don’t hear anything from them.

3. How can I protect myself from further harm and disruption after I’ve been affected by a data breach?

It’s the organisation’s responsibility to keep your personal information secure and advise you on the steps you should take. However, there are some ways you can help protect your information:

  • Report details of lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.
  • Inform your bank, building society and credit card company of any unusual transactions on your statement.
  • Watch out for any suspicious emails, text messages and websites. There may be fake messages lurking amongst genuine ones that can be very difficult to spot.
    You can find further information on the National Cyber Security Centre’s (NCSC) website.
  • Use strong passwords to protect your accounts.
    You can also view our simple steps to protect your information from cyber criminals - strong passwords video.
  • Contact Cifas (the UK’s Fraud Prevention Service) to apply for protective registration. This places a warning flag against your name and other personal details on their National Fraud Database. This tells any organisation that uses Cifas information to pay special attention when your details are used to apply for their products or services.

    Knowing you're at risk, they'll carry out extra checks to make sure it's really you applying and not a fraudster using your details.

    CIFAS – The UK’s Fraud Prevention Service
    6th Floor
    Lynton House
    7 - 12 Tavistock Square
    London
    WC1H 9LT
    CIFAS website

4. How can the ICO help me?

We are here to support you. We can help you decide if making a complaint is right for you and give you practical advice, such as steps you can take to protect your information.

You can call our helpline on 0303 123 1113 or use our live chat service

If you do decide to complain to us, we may look into what’s happened and make recommendations to the organisation about how to improve. 

You can read more information on what to expect from the ICO when making a data protection complaint

Further reading

I'm worried my information has been shared