GDPR Data Breach Compensation – How Much Compensation Can I Get For A GDPR Breach?

By Max Murdoch. Last Updated 21st July 2022. Welcome to our guide covering GDPR breach compensation. In it, you will find data breach compensation examples, and insight into the data breach compensation amount you could receive when claiming GDPR compensation. We answer questions about GDPR compensation amounts and give GDPR data breach compensation examples. We also show you how to claim medical data breach compensation, or for other types of data breach that have harmed you.

How much compensation can I get for a GDPR breach?

Did you know that if you suffer financially or emotionally due to a GDPR data breach, you could have a right to claim compensation? GDPR stands for the General Data Protection Regulation and it is arguably the world’s most stringent data privacy and security law.

In the UK, we have enshrined the application of the UK GDPR into the Data Protection Act 2018. Access to your personal data that breaches GDPR could result in the ICO investigating and fining the organisation that had the breach. It could also give you the right to seek compensation for non-material (psychological injuries or emotional distress) and material (financial) damages.

I Suffered A GDPR Data Breach, What Are My Rights To Compensation?

data breach compensation examples gdpr breach compensation data breach compensation amount gdpr compensation data breach compensation examples gdpr compensation amounts gdpr breach compensation How much compensation can I get for a GDPR breach? [h2/h3] What are the consequences of breaching GDPR? [h2/h3] How serious is a data breach? [h2/h3] how to claim medical data breach compensation [h2/h3 - link to this specific page of ours too] gp data breach gdpr compensation

GDPR data breach compensation claims guide

In this guide, we provide you with a useful insight into the causes of a data breach, including negligence, mismanagement of data, a cyber attack and human error. In the sections that follow, you’ll find an explanation of what GDPR covers, and examples of what personal data breaches could involve.

We also look at how data breach lawyers and courts could arrive at appropriate compensation payouts for a breach of data protection. You can also find information about what evidence you may need to claim, as well as how to begin your journey to compensation.

Ask Us For More Data Breach Compensation Examples And Start Your Claim

If you would like assistance from a data breach solicitor, or you’d like us to assess your eligibility to claim, please don’t hesitate to contact us. You can reach our friendly, knowledgeable team on 0800 073 8801. We could provide further insight whether you’ve suffered a credit card data breach, comparison site data breach or a breach by any other organisation.

Select A Section

A Guide To GDPR Data Breach Compensation Claims

Whether you’re interacting with an employer, a bank, the post office or any other organisation, they may ask you for some of your personal information so they provide you with services, fulfil a contract, or for other reasons.

An organisation that decides why and how your data is collected would be considered a data controller. As such, they have a legal duty to comply with data protection law. A failure to do so could mean that a victim of a data breach could be eligible to claim GDPR breach compensation if they suffer financially or emotionally because of the breach.

How Do I Know If I Could Claim GDPR Breach Compensation?

However, there are restrictions when it comes to making such claims. One of these is how long you could have to launch a claim. While some data breach claims have a limitation period of 6 years, others involving a public body only have a limitation period of 1 year. Therefore, you may be looking to begin a claim as soon as possible. This guide could help you get started.

In the below sections, we guide you through the GDPR. We explain when this law came into force, how it is intended to give you more control over the disclosure of and access to your personal data, and how a breach of your data could happen. In addition to this, we provide guidance on the damages that could be included in compensation awards for a data breach of GDPR.

At the end of this guide, we explain how we could match you with a data breach lawyer who could help you fight for compensation on a No Win No Fee basis.

What Is The GDPR?

In 2018, a new law came into force. The General Data Protection Regulation was created by the EU. It is arguably the world’s strictest data privacy and security law in the world to date. The UK has enacted its application of GDPR in the Data Protection Act 2018.

There are several guiding principles that data controllers need to adhere to when collecting, storing and processing people’s personal information. These include:

  • Lawfulness, fairness and transparency – the storage, processing and collection of personal data must not breach laws. It must be done fairly and with transparency to the data subject.
  • Purpose limitation – data controllers must identify the purpose for data processing and ensure the processing is limited to its purpose.
  • Data minimisation – organisations must ensure they only process the minimum amount of data required for its purpose.
  • Accuracy – an organisation should ensure the data they process is accurate and keep it as up to date as possible.
  • Storage limitation – they must also ensure they do not store data for longer than it is needed for its specified purpose.
  • Integrity and confidentiality – there must be appropriate security measures to protect personal data.
  • Accountability – organisations must be able to demonstrate their compliance with GDPR.

If an organisation breaches GDPR, and this causes emotional or financial harm to victims of a data breach, those victims could, under Section 168 of the Data Protection Act 2018, claim GDPR breach compensation.

What Is A GDPR Data Breach?

The Information Commissioner’s Office is a public body set up to uphold individuals’ data rights. It defines a data breach as being a security breach that leads to the accidental or unlawful destruction, loss, alteration, disclosure of or access to personal data.

What are the consequences of breaching GDPR?

Data protection breaches could result from human error, malicious behaviour (such as a cyber attack), or negligence. For example:

  • Your data could be breached if a hacker uses a bot to exploit vulnerabilities in an organisation’s systems. They could gain access to cloud databases, or even a VPN (Virtual Private Network). If they do, they could use software such as malware, ransomware, spyware or a virus to breach data held on such systems.
  • Human error could also cause a data breach. If someone accidentally sends your data to an unauthorised person, or even leaves a filing cabinet unlocked, leading to unauthorised access of your data, this could lead to data breach compensation under GDPR. (There are times, however, when a data controller doesn’t need your permission to share your data.)
  • You could also claim GDPR data breach compensation if an organisation has been negligent in protecting your personal information. If, for example, they have failed to install protection such as a firewall, or have negligently left computer equipment in an unsecured location and someone accesses your personal data, this could also be considered a breach.

Data Breach Compensation Examples – Possible Causes

When it comes to potential causes of a data breach that could lead to a claim, there are several examples.

If we look to the Information Commissioner’s Office website, we can gain insight into the causes of data breach incidents reported in Q3 2021 -2022. You might be surprised to learn that of the incidents reported in Q3, the vast majority of these were not related to cyber security incidents. This means that in many cases, human error could cause a data breach. Statistics for the period show that the most common cause of a data security incident was data being emailed to the wrong recipient. 419 of the reports made in this period were due to this cause.

Other reasons for data breach incidents during this period included unauthorised access and phishing. We have included a graphic below with a breakdown.

data breach compensation examples gdpr compensation amounts gdpr breach compensation How much compensation can I get for a GDPR breach? [h2/h3] What are the consequences of breaching GDPR? [h2/h3] How serious is a data breach? [h2/h3]

What To Do After A Breach Of Data

If you believe an organisation has breached your personal data, you could report the breach to the organisation’s data protection officer or other appropriate person and ask them to investigate. In some cases, you could report the breach to the Information Commissioner’s Office. We explain more about how to do this later on in this guide.

If you would like to make a claim for data protection breach compensation with the help of a data breach lawyer, we would be happy to speak to you. We could connect you with a No Win No Fee data breach solicitor to help you get the privacy breach compensation you deserve.

What Personal Data Could An Organisation Hold About Me?

An organisation could hold a number of different pieces of personal information about you. Personal data is defined by the ICO as being information that could identify you, either on its own or when someone combines it with other information.

A data protection breach compensation claim could involve the breach of:

  • Your name, telephone number, email address or contact details
  • Financial information such as credit card details or bank details
  • Personal health information, which could involve medical documents
  • Sensitive, protected or confidential information such as social services documents, employee disciplinary records, your ethnic origin or your religion

If an organisation has breached your data privacy, and you have suffered material damages or non-material damages as a result, you could be eligible to claim breach of data compensation.

Examples Of GDPR Data Breach Claims

GDPR compensation for a data breach could come from one organisation but in some cases, you could be claiming against more than one party. Some  data breach compensation examples that have led to ICO fines or data breach claims include:

  • Early in 2020, it was reported in the media that the University of East Anglia had paid students over £140,000 in compensation after breaching their sensitive personal data. The breach involved a member of staff sending details of bereavements, personal issues and health problems to 298 people.

More data breach compensation examples


  • In 2019, the ICO fined a company called Doorstep Dispensaree £275,000 for failing to protect special category data. Around 500,000 documents containing such data were left in unlocked containers on the company’s premises. The information in the documents included names, addresses, medical information and NHS numbers.

When Could You Make A GDPR Data Breach Claim?

To make a claim for GDPR data breach compensation, you would need to be able to evidence that:

  • An organisation had breached your personal data
  • The breach of your data caused you to suffer non-material or material damages

You would not necessarily have to take your case to court to claim compensation. An organisation might, after receiving your data breach report, offer to pay you compensation. If they don’t, or you don’t believe their offer reflects your suffering, a data breach lawyer could help you by taking over the negotiations.

If the organisation dispute or refuse your claim, you could take your case to court. You would need to demonstrate that you had attempted to resolve the impact of the data breach before you took your case to court, however. A solicitor could help you here and could represent you in court.

Eligibility To Make A GDPR Data Breach Claim

If you would like to know whether you’d be eligible to claim GDPR data breach compensation, we could help you. However, you may want to get some idea of whether you could have a valid data breach claim before you get in touch.

Check If You Could Make A GDPR Data Breach Claim

To make a claim, you would need to demonstrate:

  • An organisation or individual breached your data
  • You suffered financial loss or psychological damage (or both) due to the breach

You also need to claim within the time limitation periods. (This would be 6 years for data breaches and 1 year for human rights breaches.)

How Do You Sue For A Breach Of The GDPR?

You do not necessarily have to retain the services of a data breach lawyer to claim for data protection breaches. In fact, the ICO advise you to contact the data controller directly to resolve the issue in the first instance.

Organisations may work with you to resolve any issues. However, if you’re not satisfied with their response or they fail to respond, you could then get in touch with the ICO within three months of the final meaningful contact from the organisation.

You do not have to report a data breach to the ICO to claim, however. You could get a data breach solicitor to help you seek compensation.

Check What Evidence You Need To Make A GDPR Data Breach Claim

If you intend to make a claim for GDPR data breach compensation, you would need evidence. Not only would you need to submit evidence that a data breach had taken place, but you’d also have to evidence the damage it caused you.

Documents that might help you could include:

  • A letter to the organisation advising them that you believe your data has been breached
  • The organisation’s response to your data breach report (if they have responded)
  • The organisation’s notice that you were a victim of a data breach
  • Any media reports relating to the data breach
  • Evidence of financial loss (this could include bank statements or credit card bills, for example)
  • Medical evidence (if you suffered anxiety, distress or stress due to the breach)

A data breach solicitor would advise you of how to obtain such evidence and could help you with your data breach claim.

UK GDPR and Data Breach Compensation Examples

In order to come to a compensation amount for a data breach claim, solicitors and courts would need to assess evidence. As we have already talked about, evidencing financial loss could be done by way of providing bank statements and credit card bills.

How serious could a data breach be? What other consequences could there be?

However, there are other damages that we have already told you you could claim relating to psychological injuries. There are two important legal cases that set precedence relating to how much compensation you could claim for psychological injuries.

The first case is Vidal-Hall and others v Google Inc [2015]. During the case heard at the Court of Appeal, the judge said that claimants could pursue damages for emotional harm even if they have not suffered financial loss by way of a GDPR breach.

The second case we refer to is Gulati & Ors v MGN Ltd [2015], within which it was found that data breach compensation for psychological injuries could be calculated similarly to personal injury cases.

Personal Data Breach Compensation Examples

You could be eligible for compensation if a UK GDPR breach has led to your personal data being exposed and causing you harm as a result. The UK GDPR is the legislation that allows claims for personal data breaches.

The figure awarded for psychological suffering is known as non-material damages. The amount of money you receive in non-material damages can depend on various factors. One of these considerations is the level of suffering you have experienced due to a data protection breach. Compensation could also be influenced by a medical prognosis for recovery and how much your psychological injury is affecting your daily life.

The table in this section holds some illustrative figures taken from the Judicial College Guidelines (JCG). This is a publication that received its most recent update in 2022. Legal professionals use resources such as the JCG to assist them in arriving at a suitable data breach compensation amount.

Condition/InjuryJCG Bracket for CompensationSeverity
Psychological (General) Injury£54,830 to £115,730Severe
Psychological (General) Injury£19,070 to £54,830Moderately severe
Psychological (General) Injury£5,860 to £19,070Moderate
Psychological (General) Injury£1,540 to £5,860Less severe
Post-traumatic stress cases (PTSD)£59,860 to £100,670Severe
Post-traumatic stress cases (PTSD)£23,150 to £59,860Moderately severe
Post-traumatic stress cases (PTSD)£8,180 to £23,150Moderate
Post-traumatic stress cases (PTSD)Up to £8,180Less severe

It is very important to keep in mind that the figures above do not act as a guarantee. Get in touch with our advisors today and we can give you a bespoke estimate based on your specific circumstances.

What Does Non-Material Damages Mean?

We have already mentioned that you could claim for material and non-material damages. But what is the definition of non-material and material damage?

  • Material damage: This is the financial loss a breach causes you. It could include the costs of identity theft, fraud and financial theft, for example.
  • Non-material damage: This is the non-financial cost of the breach. While we have explained that GDPR data breach compensation could include psychological/psychiatric injuries, it could also include reputational damage and emotional distress.

If you’re not sure what you could include within your data breach claim, we’d be happy to talk to you. We could provide you with a free eligibility assessment and explain what steps you could take to get the compensation you deserve.

No Win No Fee GDPR Data Breach Compensation Claims

If you’re considering claiming compensation for a data breach, you might prefer to have a solicitor complete all the legal legwork for you. The good news is that you could do so without paying them their fee upfront. In fact, under No Win No Fee terms, you wouldn’t need to pay their fee until your claim ends.

How To Claim GDPR Data Breach Compensation Under No Win No Fee Terms

Initially, you’d need to find a data breach solicitor that works on a No Win No Fee basis. We could help you with this. The process would then work as follows:

  • Your solicitor would send you a No Win No Fee agreement to sign. Within this document would be details of the success fee they discuss with you beforehand: a legally capped percentage of the payout.
  • Once you’d signed and sent back the Conditional Fee Agreement to your solicitor, they’d begin work on your case.
  • They would negotiate compensation on your behalf, and help you take your case to court if necessary.
  • Once your payout comes through, they’d deduct the agreed success fee, and you’d benefit from the balance.
  • If your claim doesn’t win, you wouldn’t have to pay the solicitor’s fee at all.

We have a guide that provides in-depth information on No Win No Fee claims. Additionally, if you have any questions to ask our team about making a No Win No Fee claim, we’d be glad to hear from you.

Contact An Advisor About Data Breach Compensation Examples And To Start Your Claim

Are you ready to start your claim for GDPR data breach compensation? If so, we’d be happy to connect you with a data breach solicitor who could help you. If you have any questions about claiming or would like to check your eligibility, we could help with that too. To get in touch, simply:

FAQs On GDPR Data Breach Compensation

How Do I Claim My GDPR Compensation?

As we mentioned earlier in this guide, you could make a request for compensation from the organisation that breached your data. If their response isn’t adequate, you could ask the ICO to investigate. You could also find a data breach solicitor to help you take legal action against an organisation that has breached your data.

Can I Get Compensation For A GDPR Breach?

If you can evidence that you’ve suffered harm because an organisation has breached your data, you could claim GDPR data breach compensation. Compensation could include awards for both non-material and material damages.

What data breach compensation examples could you give me?

We do not have data breach compensation examples to give you, as all cases are assessed on their own merits. However, if you call our team, we could talk to you about cases we’ve handled before. We could also give you an insight into data breach compensation amounts and how they could be calculated.

How much compensation can I get for a GDPR breach?

This depends on how it’s affected you. If you’ve had money taken from you, due to a breach, you could potentially recover this. In addition, you could claim for non-material damages such as a psychological injury.

What are the consequences of breaching GDPR?

The consequences of breaching GDPR could depend on whether you’re looking at the organisation that breached the data, or the person whose personal data has been breached.

The person who suffered a breach of their personal data could suffer consequences including financial harm, loss of privacy, and emotional distress.

The organisation that breached the data could be investigated by the ICO and could receive a fine in some cases. Further to this, they could receive GDPR breach compensation claims from affected victims.

How serious is a data breach?

A data breach could range in severity. In some cases, someone might only experience minor financial harm. Whereas, in others, someone might experience severe psychological distress and serious financial damage.

If you have suffered harm due to a GDPR breach, and want to claim compensation, please call our team.

How to claim medical data breach compensation – could Accident Claims assist?

We could help you when it comes to finding out how to claim compensation for a medical data breach. Our expert team would be happy to assess your eligibility to claim for a personal data breach that has caused you psychological or financial harm, or a combination of both types of harm. If we determine that you have a valid claim, we could provide you with a No Win No Fee solicitor to assist you in claiming compensation for the damage you have been caused.

What industries are most likely to suffer data security incidents?

If we look at the ICO Q2 2021-22 statistics, we can see that the top sector where data breach incident reports are concerned was healthcare. This was followed by education or childcare. 

how to claim medical data breach compensation [h2/h3 - link to this specific page of ours too] gp data breach gdpr compensation

If the organisation caused your personal data to be breached as a result of their wrongful conduct and you experienced psychological and/or financial damage as a result, call our team. They can help you understand whether you’re eligible to claim.

How do I prove a psychological injury was caused by a GDPR data breach?

To prove a psychological injury was caused by a personal data breach, you could provide medical evidence such as hospital or doctor records.

You may also be invited to attend an appointment with an independent medical professional. They would speak to you about your psychological injury and the effects the data breach has had on you.

Based on their assessment, they would produce a medical report, which could be used for evidence. If you have any questions about this, we’d be happy to answer them.

Could a Data Breach Compensation Calculator Help Me?

You may want more information about using a data breach compensation calculator. There are benefits to using one – by inputting the features of your psychological injury, selecting how it occurred as well as a few more details, you could see your potential compensation for a GDPR breach that has put your personal data at risk.

However, there are drawbacks to using a calculator. Firstly, not all of them can include the material damages you experienced from the incident. This means that the compensation estimate may not include all of the losses you could receive from a successful claim.

Moreover, they can only provide you with a very general compensation bracket of what you could receive. Speaking to our experienced advisors about your injury and the circumstances surrounding it could give you a quotation that is a more accurate reflection of your potential compensation.

Please read on to learn more about how you can receive compensation from data protection breaches. If you prefer, you can contact us for a free consultation to see if you can claim. They can connect you with one of our data breach solicitors who can work your case using a No Win No Fee agreement.

Related Guides To GDPR Breach Compensation

Does The ICO Enforce GDPR?: The ICO does enforce GDPR. You can find out what other legislation the ICO enforces from their website.

Guidance On Data Protection: The Government’s website offers some guidance on data protection, giving you information on what rights you have when it comes to the protection of your personal data.

What Personal Data Can My Employer Keep?: If you’re worried about what personal information your employer has on you, you can find out from this link what data your employer can keep.

Claiming For Stress: Stress could be one of the consequences of a data breach. You can read about stress compensation by visiting this link.

Psychological Injuries Because Of Data Breaches: Our guide can help if you’d like more information on claiming because you’ve suffered psychologically due to a data breach.

Will There Be Problems If I Sue My Employer?: Some employees might worry that suing their employer could cause them problems at work. This guide could help allay your concerns.

What Happens If An Employee Breaches GDPR?

We hope you have found our guide covering GDPR breach compensation useful.. Now, you will have insight into data breach compensation examples and the data breach compensation amount you could receive when claiming GDPR compensation.