One-in-five people in the UK and Ireland have fallen victim to a data breach, while one-in-four are unaware as to whether they have had their personal data illegally accessed.
A survey of more than 1,000 people in the UK and Ireland, which was conducted by law firm Gibson & Associates Solicitors, has revealed that 20% of respondents admitted they have had their personal data exposed in an illegal breach, while 25% said they were unaware if they had been a victim.
Of those who said they had been the victim of a data breach, only 7% made a claim. When asked why they did not make a claim, 37% said they were not aware that they could make a claim, while 24% didn’t think it was a big enough concern to make a claim.
Reza Nazem, data protection solicitor at Gibson & Associates Solicitors, said:
“Any organisation that collects personal data has a legal duty of care to make sure it is protected. Anyone who has their data leaked due to the irresponsibility of a company is vulnerable to suffering financial losses. Regardless of how big or small these losses are, companies should be held accountable for their mistreatment of this often very sensitive data, which is why victims have the legal right to make a claim.
“While it may not seem like a big deal to make a claim if you haven’t suffered significant financial losses, individuals shouldn’t be worried about whether they are going to have their personal information used without their knowledge. Making a claim isn’t just about reimbursing the victim’s financial loss, it can be used to recompense any emotional distress and ensure that the responsible organisation has suitable security methods in place to protect data against any future breaches.”
Despite 80% of participants knowing what GDPR is, respondents showed gaps in knowledge when asked about the guidelines. Only 28% understood what personal data* could be legally kept by an organisation, while 15% wrongly said that companies were not able to keep any personal data at all.
There was also a significant lack of knowledge when respondents were asked what companies can legally do with personal data, with only 26% correctly identifying that organisations are able to do the following with personal information:
– Use it to provide a service
– Use it to make a recommendation
– Use it to decide what you see online
– Use it to directly sell to you
– Sell the data to third parties
Some 14% incorrectly said that companies were not able to do any of the above with personal data.
Mr Nazem said:
“GDPR was introduced to allow people to take back control of their personal information and make informed decisions about how it is used. While it falls to a company to responsibly handle people’s personal data, individuals need to be aware of what information is being stored about them and what can be done with it. If you’re unsure about what data is being held about you, you can make a subject access request.”
A subject access request is a written or verbal request asking for access to personal information that an organisation holds or processes on you. Currently, more than half (55%) of UK and Irish residents do not know what a subject access request is, despite 62% not trusting companies to use their data responsibly.