Claims Handbook Logo

Data Breach Compensation (GDPR)

Your data was exposed? You may be owed compensation.

#At a Glance
Difficulty ⭐⭐ Medium
Time to DIY 2–4 hours
Typical Payout £500–£5,000 (individual claims)
Time Limit 6 years
Escalation ICO / County Court

#What Is It?

Under GDPR and the Data Protection Act 2018, organisations must protect your personal data. If they fail and you suffer:

  • Material damage (financial loss, identity theft)
  • Non-material damage (distress, anxiety, loss of control)

…you can claim compensation.

#What Counts as a Data Breach?

  • Hacking incidents – your data stolen by attackers
  • Accidental disclosure – data sent to wrong person
  • Lost devices – unencrypted laptops/USBs lost
  • Phishing – employees tricked into revealing data
  • Poor security – inadequate protection leading to exposure
  • Unlawful sharing – data shared without consent

#Am I Eligible?

#✅ You may have a claim if:

  • Your personal data was involved in a breach
  • The organisation failed in its data protection duties
  • You suffered distress or financial loss as a result

#✅ Evidence of harm:

  • Anxiety, stress, or upset
  • Time spent dealing with the breach
  • Financial losses (fraud, identity theft)
  • Increased spam/scam attempts
  • Loss of control over personal information

#❌ Weaker claims:

  • No evidence you were actually affected
  • Data was already publicly available
  • Minimal distress caused

#Compensation Levels

Impact Typical Range
Minimal distress £100–£500
Moderate distress £500–£2,000
Significant distress (anxiety, loss of sleep) £2,000–£5,000
Severe distress + financial loss £5,000–£20,000+
Group actions (large breaches) Often £2,000–£5,000 per person

#Step-by-Step Process

#Step 1: Confirm You Were Affected

  • Did you receive breach notification?
  • Is your data listed as exposed?
  • What types of data were involved?

💡 Need more information? Submit a Subject Access Request to find out exactly what data was exposed.

#Step 2: Document the Impact

  • Keep notes of how it affected you
  • Save evidence of increased spam/scams
  • Document time spent dealing with it
  • Note any financial losses

#Step 3: Complain to the Organisation

  • Write explaining you want compensation
  • Describe the distress/loss caused
  • Give them chance to offer settlement

📝 Use our template: GDPR/Data Breach Complaint Letter

#Step 4: Report to ICO (Optional)

  • Information Commissioner's Office
  • They can investigate and fine the organisation
  • They cannot award you compensation directly

#Step 5: Make a Court Claim (If Needed)

  • Small Claims Court for under £10,000
  • No lawyers needed
  • Organisation may settle to avoid court

#Sample Compensation Request

Dear [Data Controller],

Compensation Claim – Data Breach

I am writing to claim compensation following the data breach that affected my personal information.

On [date], I was notified that my data had been exposed, including [list data types – name, email, address, financial details, etc.].

As a result of this breach, I have suffered:

  • Distress and anxiety: [Describe impact – e.g., "I have been anxious about potential identity theft and have spent considerable time monitoring my accounts"]
  • Increased scam attempts: [If applicable – "I have received numerous phishing emails and scam calls since the breach"]
  • Financial loss: [If applicable – describe any fraud or costs incurred]
  • Time spent: [Hours spent dealing with the issue]

Under Article 82 of GDPR and Section 169 of the Data Protection Act 2018, I am entitled to compensation for both material and non-material damage.

I am seeking compensation of £[amount – typically £500–£2,000 for moderate distress].

Please respond within 14 days.

Yours faithfully,

[Your Name]

#Group Actions (Class Actions)

Large breaches often lead to group actions:

  • British Airways breach (2018): £2,000 average settlement
  • EasyJet breach (2020): Group action ongoing
  • Various NHS breaches: Settled

How to join:

  • Look for law firms running "no win, no fee" group actions
  • They typically take 25–35% of compensation
  • Can be worthwhile for large breaches

#ICO Complaints

The ICO can:

  • Investigate the breach
  • Issue fines to the organisation
  • Order them to improve practices

The ICO cannot:

  • Award you compensation
  • Force the organisation to pay you

But an ICO finding of wrongdoing strengthens your compensation claim.

#Common Questions

Q: The company offered me free credit monitoring – is that enough?

Credit monitoring is helpful but doesn't compensate for distress. You can accept it AND claim compensation.

Q: I haven't had any fraud – can I still claim?

Yes. Distress, anxiety, and loss of control over your data are compensable even without financial loss.

Q: The breach was by a hacker – is the company still liable?

Usually yes. Companies must have reasonable security. A successful hack may indicate they didn't.

Q: Should I join a group action or claim individually?

Group actions are easier but you may get less. Individual claims can be higher but require more effort.