In recent years, the spotlight has been shone on businesses which hold the personal data of individuals. The pressure is on for these businesses to realistically assess whether they do enough to protect personal data and ensure its proper use.

The General Data Protection Regulation (GDPR) is coming into force on 25 May 2018 giving enhanced rights to individuals. However, if a data protection breach occurred before this date, the protection given to individuals is contained in the Data Protection Act 1998 (DPA).

The DPA applies to processing of personal data by a data controller. Section 1(1) provides that "processing" includes obtaining, recording or holding of data.. "Personal data" means data relating to a living individual who can be identified from that data. This means that the DPA affects a wide variety of businesses.

If a business is acting as a data controller for the purposes of the DPA, they will have obligations in relation to any personal data that they hold. Schedule 1 of the DPA sets out a series of obligations which data controllers must comply with. These obligations include, processing data fairly and lawfully, for a specific lawful purpose only, collecting only as much data as is adequate or relevant and taking appropriate technical and organisational security measures to prevent unlawful data processing. If a business breaches the obligations imposed by the DPA what action can an individual take? Section 13(1) states that individuals who suffer losses due to breach of the DPA by a data controller may claim compensation.

It used to be the case that you would have to show some degree of financial loss before the court would consider any claim for distress, however the Court of Appeal has made it easier for individuals to claim damages for the distress caused by a breach of the DPA.. Should you suspect that a business has breached its DPA obligations in relation to your data, you may be entitled to compensation as a consequence.