Personal information is a valuable commodity. However, careless corporate practices, human error, and cybercrime mean that this information is not safeguarded as well as it should be. Allowing personal data to fall into the wrong hands may result in severe financial losses, emotional distress, and loss of privacy.
If an individual's personal data has been exposed as a result of a data breach in your company, they have the right to seek compensation.
Get all the details on how affected individuals can claim compensation in case of a data breach in your company, including the amount of compensation expected. Use these insights to get your company up to speed on data breach compensation.
In this blog post, we'll cover:
- What counts as a data breach?
- What is a GDPR data breach compensation claim?
- Who can make a data breach compensation claim?
- What do affected persons need to show before making a claim for a data breach?
- When are individuals eligible for data breach compensation?
- How much data breach compensation can an affected person receive?
- What is the time limit to file a data breach claim?
- Do individuals affected by the data breach have to go to court to get compensation?
- How much compensation will the court award if the data breach compensation claim is successful?
- How much have previous data breach claims received in compensation?
- How to ensure data privacy and avoid data breaches in your organisation
What counts as a data breach?
A data breach is defined as the unintended or purposeful disclosure of sensitive or confidential information to an unauthorised person or entity.
Breaches are common in service-based sectors with direct public interaction. Mobile phone companies, software companies, retail stores, and banks have all made headlines in recent years as a result of data security breaches.
Affected persons can claim a compensation claim in situations such as:
- When their privacy has been violated as a result of a whistleblower case.
- If they believe their personal information has been exploited or mismanaged.
- When their personal information was compromised as a result of cybercrime.
- When their data has been lost or disclosed accidentally.
- When a company or organisation violates the law by using their personal information for journalistic, artistic, or literary purposes without their consent.
- If their personal information has been shared with a third party without their consent.
- When an organisation fails to keep up-to-date, accurate information on them, and as a result, they suffer damage.
What is a GDPR data breach compensation claim?
A data breach compensation claim can be filed against a single individual, a company, or a group of defendants. In the claim, the affected individual accuses the defendant of being liable for the disclosure of their personal information and requests monetary compensation for the damages caused.
The existing law permits people to sue for both the financial and non-material damages caused by the violation, such as loss of money and emotional distress.
Who can make a data breach compensation claim?
The GDPR was implemented in 2018 in response to the rising occurrence of data breaches. The GDPR strives to safeguard individuals and provide them control over their data in the event that it is held by a third party. The term "third-party" refers to social media platforms, online services, and offline stores.
If a person suspects their data has been compromised, the GDPR regulations allow them to file a data breach claim. They have the right to seek compensation if an organisation has caused them harm or distress by violating any aspect of the UK Data Protection Act.
However, the affected person must first try to arrange an out-of-court deal with the defendant. If a data breach happened in your organisation, the defendant in this case would be you.
If you refuse to accept their request or cannot reach an agreement outside of court, they have the right to take the case to court and file a legal claim. But the person would need to first notify you about their intention to pursue the matter in court.
What do affected persons need to show before making a claim for a data breach?
For the compensation claim to be successful, the affected individual must show that you, as their data handler, failed to take all reasonable means to protect the safety and security of their data and that their data was shared or made available to other third parties or organisations without their consent as a result of your data breach.
Any company that deals with personal data owes those persons certain rights, and they can file a claim if:
- The data might have been lost or hacked, resulting in the breach.
- Their information was sent to a third party without their permission.
- Your company's information had not been updated, and the misinformation had caused them harm.
- Inappropriate use of personal information had occurred.
When are individuals eligible for data breach compensation?
The affected persons have the right to file a data breach claim for up to £2,000 or more in compensation under the DPA and GDPR if:
- Their personal information has been leaked, exposed, damaged, hacked, misappropriated, or lost.
- It was a planned or unintentional breach.
- The breach had occurred within less than six years.
- The breach affected them emotionally and caused mental distress
- They were given free credit monitoring or anything similar by your company.
How much data breach compensation can an affected person receive?
The average monetary compensation for a data breach ranges from £1,000 to £42,900. In some situations, if a personal data breach causes an individual considerable emotional distress, they may be eligible to seek further compensation.
The amount of compensation for a data breach varies depending on the type of breach and the court decision.
Different types of data breach compensations
The figures below can be used as a general estimate of how much compensation you could be entitled to as a result of various kinds of breaches.
- For a minor breach of personal data, such as your name, date of birth, home address, and email address, the lowest compensation is offered. For such violations, you may be entitled to compensation of up to £2,000.
- For a breach of medical information, you are entitled to a higher reimbursement, ranging from £2,000 to $5,000.
- If your financial information is stolen, you may be entitled to compensation ranging from £3,000 to £8,600, depending on the severity of the incident.
- For more significant data protection breaches that have resulted in catastrophic repercussions, you can obtain anything from £8,600 to £25,700.
- If the data breach has caused you bodily or emotional harm, you may be entitled to compensation of up to £42,900. You must, however, present proof of your physical condition and financial losses in such circumstances.
| Types of Compensations | Compensation Amounts |
| Personal Data Breach | Up to £2,000 |
| Medical Data Breach | £2,000 - £5,000 |
| Financial Information Breach | £3,000 - £8,600 |
| Catastrophic Repurcussion Breach | £8,600 - £25,700 |
| Breach that caused physical or emotional distress | Up to £42,900 |
It is crucial to remember that these are only approximate figures. The court will determine your precise compensation amount. If the court determines that you have not presented enough proof for your case, it may refuse your compensation request. In such a circumstance, the court may even require you to pay the defendant's legal fees.
What is the time limit to file a data breach claim?
Affected individuals have six years to file a claim in the United Kingdom. This implies that if their data was leaked in the previous six years, they may now file a compensation claim.
If they fail to comply with or recognise the appropriate limitation period or date, they may lose their right to request the claim. If their claim involves a potential violation of their data rights, they must act immediately.
Once again, a data breach compensation claim is only achievable if they are able to demonstrate that they have experienced financial losses, physical harm, threats or emotional distress as a result of the data breach in your company.
Do individuals affected by the data breach have to go to court to get compensation?
Persons affected by a data breach do not need to file a lawsuit in order to get compensation. It is possible that your organisation, for example, will simply agree to pay it. If you do refuse to pay, their next step will be to file a lawsuit. Then the matter would be decided by the court.
How much compensation will the court award if the data breach compensation claim is successful?
This will be decided by the judge hearing the case, who will consider all the facts. This includes the severity of the infringement and its impact on the affected person, especially when determining the amount of distress they experienced.
How much have previous data breach claims received in compensation?
Over time, the amount of money paid out in compensation for data breach claims has risen. Initial Data Protection Act breaches often resulted in damages of around £2,500 for revealing personal information.
However, as organisations have gathered more personal information, more cases have gone to court, setting new standards. The following are some of the most well-known recent data breaches.
| Company | What happened? | Average Claim Amount |
| Easyjet | Hackers gained access to 9 million customers' personal information during a cyber-attack on Easyjet's IT servers. | £2,000 |
| 118 118 Money | Hackers targeted customer call recordings in which personal information might have been shared. | £1,500 |
| Blackbaud | A cyber-attack on software company Blackbaud stole confidential information that impacted other organisations related to them, including National Trust. | £2,000-£3,000 |
| Bounty | Personal data of pregnant women and mothers were disclosed to third parties for marketing reasons, totalling about 35 million pieces of information. | £1,000 – £2,000 |
| Bristol City Council | Hundreds of families with handicapped children had their names disclosed without their consent due to an email error made by a council employee. | £2,000-£3,000 |
| British Airways | 420,000 consumers' personal and financial information was taken in a breach. | Up to £6,000 |
| Claire’s Accessories | During online checkout, a hacker used malicious code to collect client information. | £3,000 – £5,000 |
| Dixons | Malware on store tills accessed over 10 million customer details in a hack. | £1,500 |
| Equifax | Cyber hackers gained access to Equifax's computers in the United States and stole the personal information of 146 million individuals all over the world. | £1,000 – £2,000 |
| Equiniti | Hundreds of Sussex police officers' yearly benefit statements were issued to the wrong addresses. | £1,000 – £2,000 |
| Hockley Medical Practice | Hackers gained access to the medical records of thousands of patients. | £3,000 |
| Lloyds Pharmacy | A delivery organisation delivered private medical information to a property in Scotland by mistake. | £1,500 |
| LOQBOX | Hackers gained access to personal data and, in some circumstances, credit card data as a result of a cyber-attack. | £4,000 |
| Marriott | 7 million visitor records in the UK were impacted by a cyber-attack in 2014 that was not found until 2018 | £2,500 |
| National Trust | Although the breach started with Blackbaud, it impacted National Trust fundraisers and volunteers since personal information was exposed. | £2,000-£3,000 |
| OnePlus | Personal data was stolen by cyber thieves when information was hacked through an online retailer | £1,500 – £2,000 |
| T-Mobile | Hackers gained access to personal information of over 1.2 million prepaid users as a result of the breach. | £1,500 – £2,000 |
| TeamSport | Hundreds of former employees' personal and financial data were accidentally released to an individual. | £4,000 |
| Ticketmaster | Cyber hackers stole the personal and financial information of 40,000 consumers. | £5,000 |
| The private tweets of 88,726 Twitter users were made public due to a glitch. | £1,000 | |
| Virgin Media | Personal information of current and future clients was accessed without consent due to an insecure database. | £5,000 |
| Watford Community Housing | Due to a staff member's error, emails containing personal information on 3,545 renters were sent out. | £2,000 |
| Zoom | Targeted by a cyberattack that resulted in the selling of about 500,000 user accounts on the dark web | £2,500 |
How to ensure data privacy and avoid data breaches in your organisation
As we've explored, individuals have significant rights under the GDPR, particularly in relation to data breaches. This reality presents an important opportunity for businesses. Being responsible with data not only builds trust with your customers, it's also a legal necessity.
Understanding GDPR and implementing a robust data protection strategy is essential for today's businesses. With DataGuard's Privacy-as-a-Service, you can ensure that your business not only complies with these regulations but also demonstrates a commitment to data security.
Protect your business and your customers by exploring our tailored data protection solutions. Find out how we can help your business stay secure and compliant.
Do you have unanswered questions about data breach compensation? Don't hesitate to reach out to us for a free consultation.
Strengthen your privacy
Are you a small business trying to understand how the GDPR applies to your organisation?
Learn how!
