We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

Only 7% of data breach victims make compensation claim – survey

21 Feb 2020 / data law Print

Only 7% of data-breach victims seek compensation

A Dublin solicitor firm’s GDPR survey reveals that while general knowledge of the directive is good, fewer people are aware of its guidelines.

And the Gibson & Associates Solicitors survey shows that one in five respondents, in the UK and Ireland, have fallen victim to a data breach, with the vast majority not aware that legal action can be taken as a result. 

Results include:

  • 28% understood what personal data organisations could keep on them,
  • 15% thought companies couldn’t keep any data on them,
  • Only 26% knew what companies could do with their personal data,
  • 14% said that they couldn’t do anything with the information,
  • Despite 62% of people not trusting companies to use their data responsibly, fewer than half understood what a subject access request is.

In addition to these findings, the survey also revealed that 20% of respondents have fallen victim to a breach.


Of those who said they had been the victim of a data breach, only 7% made a claim. When asked why they did not make a claim, 37% said they were not aware that they could make a claim, while 24% didn’t think it was a big enough concern to make a claim.

Reza Nazem, data protection solicitor at Gibson & Associates Solicitors, said:

“Any organisation that collects personal data has a legal duty of care to make sure it is protected.

“Anyone who has their data leaked due to the irresponsibility of a company is vulnerable to suffering financial losses.


“Regardless of how big or small these losses are, companies should be held accountable for their mistreatment of this often very sensitive data, which is why victims have the legal right to make a claim.

Despite 80% of participants knowing what GDPR is, respondents showed gaps in knowledge when asked about the guidelines.

Only 28% understood which personal data could be legally kept by an organisation, while 15% wrongly said that companies were not able to keep any personal data at all.

There was also a significant lack of knowledge about what companies can legally do with personal data, with only 26% answering correctly.

Organisations may use personal information for the following purposes:

  • Use it to provide a service,
  • Use it to make a recommendation,
  • Use it to decide what you see online,
  • Use it to directly sell to you,
  • Sell the data to third parties.

 Some 14% incorrectly said that companies were not able to do any of the above with personal data.

Nazem said: “GDPR was introduced to allow people to take back control of their personal information and make informed decisions about how it is used.


“While it falls to a company to responsibly handle people’s personal data, individuals need to be aware of what information is being stored about them and what can be done with it.

“If you’re unsure about what data is being held about you, you can make a subject access request.”

A subject access request is a written or verbal request asking for access to personal information that an organisation holds or processes on you.


Currently, more than half (55%) of UK and Irish residents do not know what a subject access request is, despite 62% not trusting companies to use their data responsibly.  

Personal data that can be stored by a company under GDPR includes:

  • Your name,
  • Your date of birth,
  • Your address or mobile phone GPS,
  • Your telephone number,
  • An online identifier, such as IP address or email address,
  • The job you do,
  • Your racial or ethnic origin,
  • Identification numbers, such as PPS and passport,
  • The items you view or buy online,
  • Your bank details, including credit card,
  • The school you went to,
  • Information on your health,
  • Biometric data, such as photos and fingerprints,
  • Details about your partner/family,
  • Any trade union membership,
  • Your religious or philosophical beliefs,
  • Your political opinions,
  • Your passwords,
  • Details of your sex life and sexuality.
Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland