UK GDPR and data breach compensation: What you need to know

Personal information is a valuable commodity in today's digital world. However, careless corporate practices, human error, and cybercrime mean that this information is not safeguarded as well as it should be. Allowing your data to fall into the wrong hands may result in severe financial losses, emotional distress, and loss of privacy. 

If your personal data has been exposed as a result of a company's security failures, you have the right to seek compensation. We recognize that filing a compensation claim may be stressful, especially when you are coping with the emotional distress from your personal information being publicised. 

This article provides you with details on exactly how to claim your data breach compensation, the amount of compensation you can expect, whether you can or cannot go to court and an overview of recent and historic data breach cases.

Types of Compensations Compensation Amounts
Personal Data Breach Up to £2,000 
Medical Data Breach £2,000 - £5,000 
Financial Information Breach £3,000 - £8,600 
Catastrophic Repurcussion Breach £8,600 - £25,700 
Breach that caused physical or emotional distress Up to £42,900 

In this Article

What counts as a data breach?

A data breach is defined as the unintended or purposeful disclosure of sensitive or confidential information to an unauthorised person or entity.

Breaches are common in service-based sectors with direct public interaction. Mobile phone companies, software companies, retail stores, and banks have all made headlines in recent years as a result of data security breaches. 

We can help you make a data protection compensation claim in situations such as:

  • When your privacy has been violated as a result of a whistleblower case.
  • If you believe your personal information has been exploited or mismanaged.
  • Where your personal information has been compromised as a result of cybercrime.
  • Where your data has been lost or disclosed accidentally.
  • When a company or organisation violates the law by using your personal information for journalistic, artistic, or literary purposes without your consent.
  • Claimants allege that their company's data was disclosed as a result of a data breach
  • If your personal information has been shared with a third party without your consent.
  • When an organisation fails to keep up-to-date, accurate information on you, and as a result, you suffer damage.

What is a GDPR data breach compensation claim?

A data breach compensation claim can be filed against a single individual, a company, or a group of defendants. In the claim, you accuse the defendant of being liable for the disclosure of your personal information and say that you want monetary compensation for the damages caused.

The existing law permits you to sue for both the financial and non-material damages caused by the violation, such as loss of money and emotional distress.

Can I make a data breach compensation claim?

The GDPR was implemented in 2018 in response to the rising occurrence of data breaches. The GDPR strives to safeguard individuals and provide them control over their data in the event that it is held by a third party. The term "third-party" refers to social media platforms, online services, and offline stores.

If you suspect your data has been compromised, the GDPR regulations allow you to file a data breach claim. You have the right to seek compensation if an organisation haees caused you harm or distress by violating any aspect of the UK Data Protection Act.

However, you must first try to arrange an out-of-court deal with the defendant, also known as the third party. 

If the defendant refuses to accept your request or you are unable to reach an agreement outside of court, you have the right to take the case to court and file a legal claim. Keep in mind, however, that you must notify the defendant of your intention to pursue the matter in court.


What do you need to show before making a claim for a data breach?

For your compensation claim to be successful, you must show that the entity that had your data failed to take all reasonable means to protect the safety and security of your data and that your data was shared or made available to other third parties or organisations without your consent as a result of their carelessness.

Any firm that has your data owes you certain rights, and you can file a claim if:

  • The data might have been lost or hacked, resulting in the breach.
  • Your information was sent to a third party without your permission.
  • The company's information had not been updated, and the misinformation had caused you harm.
  • Inappropriate use of personal information had occurred. 

When are you eligible for data breach compensation?

You have the right to file a data breach claim for up to £2,000 or more in compensation under the DPA and GDPR if:

  • Your personal information has been leaked, exposed, damaged, hacked, misappropriated, or lost.
  • It was a planned or unintentional breach
  • The breach had occurred within less than six years 
  • The breach affected you emotionally and caused you mental distress 
  • You were given free credit monitoring or anything similar by the firm. 


How much data breach compensation can I receive?

The average monetary compensation for a data breach ranges from £1,000 to £42,900. In some situations, if a personal data breach causes you considerable emotional distress, you may be eligible to seek further compensation.

The amount of compensation for a data breach varies depending on the type of breach and the court decision. 

Different types of data breach compensations

The figures below can be used as a general estimate of how much compensation you could be entitled to as a result of various kinds of breaches. 

  • For a minor breach of personal data, such as your name, date of birth, home address, and email address, the lowest compensation is offered. For such violations, you may be entitled to compensation of up to £2,000.
  • For a breach of medical information, you are entitled to a higher reimbursement, ranging from £2,000 to $5,000.
  • If your financial information is stolen, you may be entitled to compensation ranging from £3,000 to £8,600, depending on the severity of the incident.
  • For more significant data protection breaches that have resulted in catastrophic repercussions, you can obtain anything from £8,600 to £25,700.
  • If the data breach has caused you bodily or emotional harm, you may be entitled to compensation of up to £42,900. You must, however, present proof of your physical condition and financial losses in such circumstances. 

It is crucial to remember that these are only approximate figures. The court will determine your precise compensation amount. If the court determines that you have not presented enough proof for your case, it may refuse your compensation request. In such a circumstance, the court may even require you to pay the defendant's legal fees. 

What is the time limit to file a data breach claim?

You have six years to file a claim in the United Kingdom. This implies that if your data was leaked in the previous six years, you may now file a compensation claim.

If you fail to comply with or recognise the appropriate limitation period or date, you may lose your right to request your claim. If your claim involves a potential violation of your data rights, you must act immediately. 

Once again, a data breach compensation claim is only achievable if you are able to demonstrate that you have experienced financial losses, physical harm, threats or emotional distress as a result of the data breach. 

Do I have to go to court to get compensation for a breach of data protection law?

You do not need to file a lawsuit in order to get compensation. It is possible that the organisation will just agree to pay it to you. If it refuses to pay, your next step will be to file a lawsuit. Your matter would be decided by the court. It would decide whether or not the organisation had to give you compensation if it agreed with you.

Even if a court finds that an organisation has breached data protection laws, the ICO cannot issue compensation.

We highly advise you to get independent legal advice on the validity of your claim from organisations such as DataGuard before going to court.

How much compensation will the court award me if my claim is successful?

This will be decided by the judge hearing the case, who will consider all the facts. This includes the severity of the infringement and its impact on you, especially when determining the amount of distress you experienced.

You should ask the court how you may enforce the judgement if the organisation refuses or is unable to pay.

How much have previous data breach claims received in compensation?

Over time, the amount of money paid out in compensation for data breach claims has risen. Initial Data Protection Act breaches often resulted in damages of around £2,500 for the revealing of personal information.

However, as organisations have gathered more personal information, more cases have gone to court, setting new standards. The following are some of the most well-known recent data breaches.

Company What happened? Average Claim Amount
Easyjet  Hackers gained access to 9 million customers' personal information during a cyber-attack on Easyjet's IT servers. £2,000 
118 118 Money  Hackers targeted customer call recordings in which personal information might have been shared. £1,500 
Blackbaud  A cyber-attack on software company Blackbaud stole confidential information that impacted other organisations related to them, including National Trust. £2,000-£3,000 
Bounty  Personal data of pregnant women and mothers were disclosed to third parties for marketing reasons, totalling about 35 million pieces of information. £1,000 – £2,000 
Bristol City Council  Hundreds of families with handicapped children had their names disclosed without their consent due to an email error made by a council employee. £2,000-£3,000 
British Airways   420,000 consumers' personal and financial information was taken in a breach. Up to £6,000 
Claire’s Accessories  During online checkout, a hacker used malicious code to collect client information. £3,000 – £5,000 
Dixons  Malware on store tills accessed over 10 million customer details in a hack. £1,500 
Equifax  Cyber hackers gained access to Equifax's computers in the United States and stole the personal information of 146 million individuals all over the world. £1,000 – £2,000 
Equiniti  Hundreds of Sussex police officers' yearly benefit statements were issued to the wrong addresses. £1,000 – £2,000 
Hockley Medical Practice  Hackers gained access to the medical records of thousands of patients.   £3,000 
Lloyds Pharmacy  A delivery organisation delivered private medical information to a property in Scotland by mistake. £1,500 
LOQBOX  Hackers gained access to personal data and, in some circumstances, credit card data as a result of a cyber-attack. £4,000 
Marriott  7 million visitor records in the UK were impacted by a cyber-attack in 2014 that was not found until 2018 £2,500 
National Trust  Although the breach started with Blackbaud, it impacted National Trust fundraisers and volunteers since personal information was exposed. £2,000-£3,000 
OnePlus  Personal data was stolen by cyber thieves when information was hacked through an online retailer £1,500 – £2,000 
T-Mobile  Hackers gained access to personal information of over 1.2 million prepaid users as a result of the breach. £1,500 – £2,000 
TeamSport  Hundreds of former employees' personal and financial data were accidentally released to an individual.   £4,000 
Ticketmaster  Cyber hackers stole the personal and financial information of 40,000 consumers.   £5,000 
Twitter  The private tweets of 88,726 Twitter users were made public due to a glitch. £1,000 
Virgin Media  Personal information of current and future clients was accessed without consent due to an insecure database. £5,000 
Watford Community Housing   Due to a staff member's error, emails containing personal information on 3,545 renters were sent out. £2,000 
Zoom  Targeted by a cyberattack that resulted in the selling of about 500,000 user accounts on the dark web £2,500 


You may not be aware that your data has been compromised until you learn that a corporation has been penalised by the ICO. In such circumstances, it is important to investigate whether your data was compromised since, if it was, you could be eligible for compensation.

Because data protection claims have strict time constraints, it is critical to act quickly to ensure you do not lose your right to submit a claim.

As we've explored, individuals have significant rights under the GDPR, particularly in relation to data breaches. This reality presents an important opportunity for businesses. Being responsible with data not only builds trust with your customers, it's also a legal necessity.

Understanding GDPR and implementing a robust data protection strategy is essential for today's businesses. With DataGuard's Privacy-as-a-Service, you can ensure that your business not only complies with these regulations, but also demonstrates a commitment to data security. Protect your business and your customers by exploring our tailored data protection solutions. Find out how we can help your business stay secure and compliant.

Do you have unanswered questions about data breach compensation? Don't hesitate to reach out to us for a free consultation.

GDPR for small businesses 212x234 UK GDPR for small businesses 800x600 MOBILE UK

Strengthen your privacy

Are you a small business trying to understand how the GDPR applies to your organisation?
Learn how!

Download now!

About the author

DataGuard Privacy Experts DataGuard Privacy Experts
DataGuard Privacy Experts

Dive into the world of data protection, compliance, ethics, and data security with hands-on advice and actionable opinions from our certified Data Protection Officers and Privacy Consultants from Germany, the UK, and Austria. Coming from a wide range of backgrounds like business, legal, tech, or marketing, our specialists share the latest news and solutions to current challenges, as well as their takes on recent judgements and legal decisions with you. Their aim? Enable you to make the right decisions and keep your business safe, build trust, and grow revenue while remaining compliant with current privacy laws. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional/Europe (IAPP), Certified Information Privacy Manager (IAPP) Information Security, Certified Information Privacy Technologist (IAPP), Certified Practitioner in Data Protection (BCS), Certified Data Protection Officer (TÜV), Fellow of Information Privacy (IAPP), Certified EU General Data Protection Regulation Practitioner (IBITGQ), Data Protection Officer & Europrivacy Auditor, Practitionier Certificate in Data Protection, PC.dp. (GDPR)

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk