Claim GDPR Data Breach Compensation

By Danielle Graves. Last Updated 6th October 2023. If you’ve suffered the negative consequences of a GDPR breach, it can help to understand your legal rights and options. You could, for example, be entitled to compensation.

In this guide, we discuss data breach claims in detail. We look at the eligibility criteria for making a claim, how to connect with No Win No Fee solicitors (such as those we work with), and potential compensation amounts you could receive.

However, if you’d rather speak with someone directly, our helpline is open now. We offer a free case check to everyone who calls and that carries no obligation on your part to make a claim. You can simply get the advice you need.

  • You can call us now on 0161 696 9685
  • You can also chat with us now via our live chat box in the bottom corner of your screen

GDPR breach

Select A Section

  1. What Is A GDPR Breach?
  2. Who Could You Claim Data Breach Compensation From?
  3. Do I Need To Report A Data Breach Before Claiming Compensation?
  4. Data Breach Compensation Examples
  5. Types Of Damages Awarded For Breaches Of The GDPR
  6. What Evidence Do I Need To Prove A UK GDPR Breach?
  7. Make A GDPR Breach Compensation Claim With A No Win No Fee Solicitor
  8. Talk To Us About Your GDPR Data Breach Compensation Claim
  9. Learn More About What To Do After A GDPR Breach

What Is A GDPR Breach?

So what is a GDPR breach exactly?

The ICO classifies a GDPR data breach as any unlawful or accidental act resulting in the loss, destruction, alteration, and exposure of data that leads to a security breach. This covers a very wide area of human error and criminality. Some general examples of a data breach that could affect anyone are:

  • Personal details are left on a computer screen for unauthorised people to see
  • Sensitive information not shredded or properly disposed of
  • Staff conversations that are inappropriate or in earshot of others
  • Important documents left lying around
  • Loss or theft of laptops, USB sticks or smartphones
  • Filing cabinets left unlocked and freely accessible
  • Social media posts that include personal details without consent
  • Passing on your personal information to unauthorised sources

The ICO recognises that there are distinct people who can be involved in a data breach:

  • ‘Controllers’ are the agencies or companies in possession of our personal data
  • ‘Processors’ are people who handle the data either at the behest of the controller or as an outside agency tasked with that job
  • ‘Third parties’ are those to whom the data could be shared or sent, with or without consent, on or offline.

Concerning lapses in security could happen at any stage amongst these three parties but they are all bound by the law regardless. Because of GDPR, all companies have a duty to report breaches to those affected within 72 hours. They must also have rigorous in-house security software in place and must share information legally and securely. 

If you can demonstrate that they failed in this duty and allowed a breach, you could claim.

Who Could You Claim Data Breach Compensation From?

The core principles of GDPR aim to safeguard your personal information from abuse. That abuse can range in severity. So what are some typical examples of cybercrime or data breaches? Marketing schemes can use your email or mobile number to send junk mail or nuisance texts. At the other extreme, your entire identity can be stolen.

Organised gangs search the dark web looking for personal data to construct fraudulent identities. They use this information to steal from banks and financial institutes. The consequences of your details being left unattended could cast a shadow over your life for years. Providers such as the following can all be at fault:

  • Banks and building societies
  • Universities
  • Hospitals, GPs and healthcare providers
  • Nurseries and schools
  • Retail outlets
  • Government and local authority agencies
  • Social services
  • Dentists
  • Housing associations
  • Ticket outlets and travel providers

The ICO holds all these companies and agencies to a very high standard of practice. They expect those in possession of our data to have robust software and firewalls, good encryption techniques and solid password procedures to protect client details. Screens that time out automatically and multiple password options may seem irritating when we are trying to use these facilities, but each obstacle that prevents a cybercriminal helps us.

As you move forward with a complaint of data breach, the ICO can step in and take up your case if you have failed to receive a satisfactory response in three months of last contact with the agency at fault. The ICO does not award compensation, but they can help with the complexity of a data breach case, and the findings of their investigation could serve as crucial evidence in your own claim.

Speak to our team if you have been implicated by a data breach. Whoever the agency was, they have a duty to handle information properly and carefully. If they failed, GDPR data breach compensation could be awarded.

Do I Need To Report A Data Breach Before Claiming Compensation?

If you discover that your personal data has been compromised, you may wonder whether you have to report a data protection breach to be eligible to claim compensation for a data breach.

If you discover that your personal information has been breached, you could report the breach to the organisation responsible and have them clarify what information was involved.

Alternatively, the organisation must inform you if your personal data has been involved in a breach without undue delay if they believe that your rights or freedom may be at risk. Keep any correspondence with the organisation responsible regarding the breach, as this could be used as evidence in your data breach claim.

Additionally, you could report a data breach to the Information Commissioner’s Office (ICO). The ICO are an independent body that upholds information rights and data protection law. If the ICO decide to investigate the breach, their findings could be used as evidence in your claim. However, you must do this within 3 months of your last meaningful communication with the organisation about the breach.

Keeping any spam messages or emails could help further prove that your personal data was compromised. Furthermore, you should gather evidence to prove you suffered financially and mentally due to the breach. For example, this could be a copy of your bank statements and your medical records stating your diagnosis.

If you would like further advice about what to do following a UK GDPR breach of your personal data, you can contact our advisors.

Data Breach Compensation Examples

The Judicial College Guidelines is a publication that lists suggested compensation award amounts for people who have suffered injury through no fault of their own. Since the change in the law that states GDPR data breach compensation can be sought for emotional distress alone, it is now possible for data breach lawyers to evaluate on this basis. The table below shows what awards are recommended for the pain, suffering and anguish certain medical conditions can create:

InjuryEffectsSuggested Award
Psychiatric Damage - SevereSevere problems that affect many areas of daily and social life.£54,830 to £115,730
Psychiatric Damage - Moderately SevereSignificant problems with daily life. But, there is a more optimistic prognosis.£19,070 to £54,830
Psychiatric Damage - ModerateMarked improvement shave been made, despite having struggles with various problems.£5,860 to £19,070
Psychiatric Damage - Less SevereThe effect on daily activities and sleep will be taken into account. £1,540 to £5,860
PTSD - SevereInability to function the same as pre-trauma due to permanent effects.£59,860 to £100,670
PTSD - Moderately SevereRecovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.£23,150 to £59,860
PTSD - ModerateLargely recovered with any persisting symptoms not being majorly disabling.£8,180 to £23,150
PTSD - Less SevereA full recovery is made within 2 years, with only minor problems persisting after this.£3,950 to £8,180

Combined, these amounts can greatly boost a GDPR data breach compensation total. To receive a more specific valuation relevant to your case, please get in touch with our team.

Types Of Damages Awarded For Breaches Of GDPR

When it comes to GDPR data breach compensation claims there are two types of damage described as ‘material” and ‘non-material’. Both require evidence.

Material Damage

This is all the tangible paper trail that proves you needed to outlay money in order to cope with the effects of the data breach. It also could prove that there were sudden and unusual amounts of money going missing from your account as a consequence of theft and fraud. It can also cover any harm to credit ratings. Your bank or the agency should certainly help provide details here. It’s in their best interests also to get to the bottom of the data breach and the problems it has caused.

Non Material Damage

Non-material compensation refers to the damages you could receive for mental distress. As our table above illustrates, it is entirely plausible to suffer acute emotional and psychological harm from the worry of sudden money loss or identity violation. Often people tend to dismiss these effects, imagining that they should ‘get on with it’ and focus on the monetary loss caused by a data breach. But these consequences are just as serious, more so in many cases. If you suffered mental problems such as:

  • Insomnia or disturbed sleep
  • Irritability
  • Anxiety or panic attacks
  • Phobia or sudden extremes of mood
  • Depression
  • PTSD (Post-traumatic stress disorder)
  • Suicidal thoughts

It’s important to remember they could all have an award amount attributed to them. These are very serious impacts on your health and well-being. If they were caused by the failure of another to properly practice GDPR guidelines, they may have been avoidable, too. Start your claim today at Legal Helpline and begin to put it right.

What Evidence Do I Need To Prove A UK GDPR Breach?

If an organisation has breached the rules set out in the UK GDPR, you could claim for a breach of your personal data, as long as you meet the correct eligibility criteria.

Following a UK GDPR breach that has compromised your personal data and caused you emotional loss or financial damage, there is evidence you could present to help support your case for data breach compensation. Some examples include:

  • You may have received a letter or email informing you that your personal data has been breached. This could be used as evidence in your claim.
  • Any correspondence between yourself and the organisation regarding the breach could also be presented as evidence to support your case.
  • As previously mentioned in this guide, you could report the data breach to the ICO. If they decide to investigate it, their findings could be used as evidence.
  • Evidence of the mental harm you have suffered due to the personal data breach. For example, a copy of your medical records stating any psychological injuries you have been diagnosed with.
  • Evidence of the financial losses you have suffered due to the breach, such as a copy of your bank or credit card statements.

If you would like to further discuss what evidence could be helpful for personal data breach claims, speak with an advisor from our team.

Make A GDPR Breach Compensation Claim With A No Win No Fee Solicitor

No Win No Fee arrangements can help give you access to justice. There are many benefits to using the services of a data breach solicitor in this way and at Legal Helpline we can introduce you to some with over three decades of experience. When you sign a No Win No Fee agreement (or Conditional Fee Agreement) you can:


  • Use the services of your lawyer throughout the claims process with still no charge
  • Pay nothing to your lawyer if your case does not succeed
  • The data breach lawyer will advise right at the start how viable your case is, so no time wasting
  • They also have a committed interest in giving your case their full attention as their fee comes from a successful result also
  • If your case wins you only need to pay a small percentage to the data breach solicitor as their fee to help cover their costs

No Win No Fee is fast, cost-effective and professional. With the reduced financial risk to you, it can be possible to take on the huge multi-national or government agency that breached your data. You can hold them to account for their sloppy handling of your private information.

gdpr breach

Talk To Us About Your GDPR Data Breach Compensation Claim

We hope that this article has helped in your decision to start a GDPR data breach compensation claim. Help is out there to reclaim your lost money and restore your peace of mind. Legal Helpline can offer you an introduction to data breach solicitors from our panel who can really help put this nightmare behind you. Simply:

  • Call our friendly team available right now on 0161 696 9685
  • Write or email at Legal Helpline
  • Use the ‘live support’ option for immediate help

Learn More About What To Do After A GDPR Breach

In addition to the topics discussed, you can refer here for advice on how to use cybersecurity to protect your data. Support for cybercrime victims is available here and also you can read more information on data matters from the ICO here.

Why not take a look at some of our other data breach guides?

Thank you for reading our guide to GDPR breach compensation claims.