I Suffered A GDPR Data Breach, What Are My Rights To Compensation?
Did you know that if you suffer financially or emotionally due to a GDPR data breach, you could have a right to claim compensation? GDPR stands for the General Data Protection Regulation and it is arguably the world’s most stringent data privacy and security law.
In the UK, we have enshrined the application of GDPR into the Data Protection Act 2018. Access to your personal data that breaches GDPR could result in the ICO investigating and fining the organisation that had the breach. It could also give you the right to seek compensation for non-material (psychological or emotional) and material (financial) damages.
In this guide, we provide you with a useful insight into the causes of a data breach, including negligence, mismanagement of data, a cyber attack and human error. In the sections that follow, you’ll find an explanation of what GDPR covers, and examples of what personal data breaches could involve.
We also look at how data breach lawyers and courts could arrive at appropriate compensation payouts for a breach of data protection. You can also find information about what evidence you may need to claim, as well as how to begin your journey to compensation.
If you would like assistance from a data breach solicitor, or you’d like us to assess your eligibility to claim, please don’t hesitate to contact us. You can reach our friendly, knowledgeable team on 0800 073 8801.
Select A Section
- A Guide To GDPR Data Breach Compensation Claims
- What Is The GDPR?
- What Personal Data Could An Organisation Hold About Me?
- Examples Of GDPR Data Breach Claims
- When Could You Make A GDPR Data Breach Claim?
- Eligibility To Make A GDPR Data Breach Claim
- Check What Evidence You Need To Make A GDPR Data Breach Claim
- GDPR Data Breach Compensation Calculator
- What Does Non-Material Damages Mean?
- No Win No Fee GDPR Data Breach Compensation Claims
- Contact An Advisor
- FAQs On GDPR Data Breach Compensation
- Related Guides
Whether you’re interacting with an employer, a bank, the post office or any other organisation, they may ask you for some of your personal information so they provide you with services, fulfil a contract, or for other reasons.
An organisation that decides why and how your data is collected would be considered a data controller. As such, they have a legal duty to comply with data protection law. A failure to do so could mean that a victim of a data breach could be eligible to claim GDPR breach compensation if they suffer financially or emotionally because of the breach.
However, there are restrictions when it comes to making such claims. One of these is how long you could have to launch a claim. While some data breach claims have a limitation period of 6 years, others involving a breach of your human rights only have a limitation period of 1 year. Therefore, you may be looking to begin a claim as soon as possible. This guide could help you get started.
In the below sections, we guide you through the GDPR. We explain when this law came into force, how it is intended to give you more control over the disclosure of and access to your personal data, and how a breach of your data could happen. In addition to this, we provide guidance on the damages that could be included in compensation awards for a data breach of GDPR.
At the end of this guide, we explain how we could match you with a data breach lawyer who could help you fight for compensation on a No Win No Fee basis.
In 2018, a new law came into force. The General Data Protection Regulation was created by the EU. It is arguably the world’s strictest data privacy and security law in the world to date. The UK has enacted its application of GDPR in the Data Protection Act 2018.
There are several guiding principles that data controllers need to adhere to when collecting, storing and processing people’s personal information. These include:
- Lawfulness, fairness and transparency – the storage, processing and collection of personal data must not breach laws. It must be done fairly and with transparency to the data subject.
- Purpose limitation – data controllers must identify the purpose for data processing and ensure the processing is limited to its purpose.
- Data minimisation – organisations must ensure they only process the minimum amount of data required for its purpose.
- Accuracy – an organisation should ensure the data they process is accurate and keep it as up to date as possible.
- Storage limitation – they must also ensure they do not store data for longer than it is needed for its specified purpose.
- Integrity and confidentiality – there must be appropriate security measures to protect personal data.
- Accountability – organisations must be able to demonstrate their compliance with GDPR.
If an organisation breaches GDPR, and this causes emotional or financial harm to victims of a data breach, those victims could, under Section 168 of the Data Protection Act 2018, claim GDPR breach compensation.
What Is A GDPR Data Breach?
The Information Commissioner’s Office is a public body set up to uphold individuals’ data rights. It defines a data breach as being a security breach that leads to the accidental or unlawful destruction, loss, alteration, disclosure of or access to personal data.
Data protection breaches could result from human error, malicious behaviour (such as a cyber attack), or negligence. For example:
- Your data could be breached if a hacker uses a bot to exploit vulnerabilities in an organisation’s systems. They could gain access to cloud databases, or even a VPN (Virtual Private Network). If they do, they could use software such as malware, ransomware, spyware or a virus to breach data held on such systems.
- Human error could also cause a data breach. If someone accidentally sends your data to an unauthorised person, or even leaves a filing cabinet unlocked, leading to unauthorised access of your data, this could lead to data breach compensation under GDPR. (There are times, however, when a data controller doesn’t need your permission to share your data.)
- You could also claim GDPR data breach compensation if an organisation has been negligent in protecting your personal information. If, for example, they have failed to install protection such as a firewall, or have negligently left computer equipment in an unsecured location and someone accesses your personal data, this could also be considered a breach.
What To Do After A Breach Of Data
If you believe an organisation has breached your personal data, you could report the breach to the organisation’s data protection officer or other appropriate person and ask them to investigate. In some cases, you could report the breach to the Information Commissioner’s Office. We explain more about how to do this later on in this guide.
If you would like to make a claim for data protection breach compensation with the help of a data breach lawyer, we would be happy to speak to you. We could connect you with a No Win No Fee data breach solicitor to help you get the privacy breach compensation you deserve.
An organisation could hold a number of different pieces of personal information about you. Personal data is defined by the ICO as being information that could identify you, either on its own or when someone combines it with other information.
A data protection breach compensation claim could involve the breach of:
- Your name, telephone number, email address or contact details
- Financial information such as credit card details or bank details
- Personal health information, which could involve medical documents
- Sensitive, protected or confidential information such as social services documents, employee disciplinary records, your ethnic origin or your religion
If an organisation has breached your data privacy, and you have suffered material damages or non-material damages as a result, you could be eligible to claim breach of data compensation.
GDPR compensation for a data breach could come from one organisation but in some cases, you could be claiming against more than one party. Some examples of data breaches that have led to ICO fines or data breach claims include:
- Early in 2020, it was reported in the media that the University of East Anglia had paid students over £140,000 in compensation after breaching their sensitive personal data. The breach involved a member of staff sending details of bereavements, personal issues and health problems to 298 people.
- In 2019, the ICO fined a company called Doorstep Dispensaree £275,000 for failing to protect special category data. Around 500,000 documents containing such data were left in unlocked containers on the company’s premises. The information in the documents included names, addresses, medical information and NHS numbers.
To make a claim for GDPR data breach compensation, you would need to be able to evidence that:
- An organisation had breached your personal data
- The breach of your data caused you to suffer non-material or material damages
You would not necessarily have to take your case to court to claim compensation. An organisation might, after receiving your data breach report, offer to pay you compensation. If they don’t, or you don’t believe their offer reflects your suffering, a data breach lawyer could help you by taking over the negotiations.
If the organisation dispute or refuse your claim, you could take your case to court. You would need to demonstrate that you had attempted to resolve the impact of the data breach before you took your case to court, however. A solicitor could help you here and could represent you in court.
If you would like to know whether you’d be eligible to claim GDPR data breach compensation, we could help you. However, you may want to get some idea of whether you could have a valid data breach claim before you get in touch.
Check If You Could Make A GDPR Data Breach Claim
To make a claim, you would need to demonstrate:
- An organisation or individual breached your data
- You suffered financial loss or psychological damage (or both) due to the breach
You also need to claim within the time limitation periods. (This would be 6 years for data breaches and 1 year for human rights breaches.)
How Do You Sue For A Breach Of The GDPR?
You do not necessarily have to retain the services of a data breach lawyer to claim for data protection breaches. In fact, the ICO advise you to contact the data controller directly to resolve the issue in the first instance.
Organisations may work with you to resolve any issues. However, if you’re not satisfied with their response or they fail to respond, you could then get in touch with the ICO within three months of the final meaningful contact from the organisation.
You do not have to report a data breach to the ICO to claim, however. You could get a data breach solicitor to help you seek compensation.
If you intend to make a claim for GDPR data breach compensation, you would need evidence. Not only would you need to submit evidence that a data breach had taken place, but you’d also have to evidence the damage it caused you.
Documents that might help you could include:
- A letter to the organisation advising them that you believe your data has been breached
- The organisation’s response to your data breach report (if they have responded)
- The organisation’s notice that you were a victim of a data breach
- Any media reports relating to the data breach
- Evidence of financial loss (this could include bank statements or credit card bills, for example)
- Medical evidence (if you suffered anxiety, distress or stress due to the breach)
A data breach solicitor would advise you of how to obtain such evidence and could help you with your data breach claim.
To calculate compensation for a data breach claim, courts and solicitors would need to assess all the evidence. As we mentioned, to evidence financial loss, you could use bank statements and credit card bills.
You could also submit medical evidence and claim for psychological and psychiatric harm. This is because a legal precedent was set in Vidal-Hall and others vs Google Inc  – Court of Appeal. The judge found that awards similar to those in personal injury claims for psychiatric/psychological damage should be considered.
Therefore, you could claim for financial loss or psychiatric damage or both.
Medical Evidence For GDPR Data Breach Compensation Claims
When it comes to gathering the medical evidence required to prove psychological injuries, the victim of a data breach would need to see an independent medical expert. The expert would examine them and create a medical report detailing the victim’s injuries and their prognosis.
Courts and data breach lawyers could use this report alongside a legal publication, the Judicial College Guidelines, to arrive at an appropriate compensation settlement for your injuries. We’ve put together the table below using figures from that publication to give you an idea of approximate payout brackets.
|Condition/Injury||JCG Bracket for Compensation||Severity|
|Post-traumatic stress cases (PTSD)||£56,180 to £94,470||Severe|
|Post-traumatic stress cases (PTSD)||£21,730 to £56,180||Moderately severe|
|Post-traumatic stress cases (PTSD)||£7,680 to £21,730||Moderate|
|Post-traumatic stress cases (PTSD)||Up to £7,680||Less severe|
|Psychological (General) Injury||£51,460 to £108,620||Severe|
|Psychological (General) Injury||£17,900 to £51,460||Moderately severe|
|Psychological (General) Injury||£5,500 to £17,900||Moderate|
|Psychological (General) Injury||Up to £5,500||Less severe|
We have already mentioned that you could claim for material and non-material damages. But what is the definition of non-material and material damage?
- Material damage: This is the financial loss a breach causes you. It could include the costs of identity theft, fraud and financial theft, for example.
- Non-material damage: This is the non-financial cost of the breach. While we have explained that GDPR data breach compensation could include psychological/psychiatric injuries, it could also include reputational damage and emotional distress.
If you’re not sure what you could include within your data breach claim, we’d be happy to talk to you. We could provide you with a free eligibility assessment and explain what steps you could take to get the compensation you deserve.
If you’re considering claiming compensation for a data breach, you might prefer to have a solicitor complete all the legal legwork for you. The good news is that you could do so without paying them their fee upfront. In fact, under No Win No Fee terms, you wouldn’t need to pay their fee until your claim ends.
How To Claim GDPR Data Breach Compensation Under No Win No Fee Terms
Initially, you’d need to find a data breach solicitor that works on a No Win No Fee basis. We could help you with this. The process would then work as follows:
- Your solicitor would send you a No Win No Fee agreement to sign. Within this document would be details of the success fee they discuss with you beforehand: a legally capped percentage of the payout.
- Once you’d signed and sent back the agreement to your solicitor, they’d begin work on your case.
- They would negotiate compensation on your behalf, and help you take your case to court if necessary.
- Once your payout comes through, they’d deduct the agreed success fee, and you’d benefit from the balance.
- If your claim doesn’t win, you wouldn’t have to pay the solicitor’s fee at all.
We have a guide that provides in-depth information on No Win No Fee claims. Additionally, if you have any questions to ask our team about making a No Win No Fee claim, we’d be glad to hear from you.
Are you ready to start your claim for GDPR data breach compensation? If so, we’d be happy to connect you with a data breach solicitor who could help you. If you have any questions about claiming or would like to check your eligibility, we could help with that too. To get in touch, simply:
- Call the team on 0800 073 8801
- E-mail us at email@example.com
- Use the contact form
- Chat with us via our live chat
How Do I Claim My GDPR Compensation?
As we mentioned earlier in this guide, you could make a request for compensation from the organisation that breached your data. If their response isn’t adequate, you could ask the ICO to investigate. You could also find a data breach solicitor to help you take legal action against an organisation that has breached your data.
Can I Get Compensation For A GDPR Breach?
If you can evidence that you’ve suffered harm because an organisation has breached your data, you could claim GDPR data breach compensation. Compensation could include awards for both non-material and material damages.
Does The ICO Enforce GDPR?: The ICO does enforce GDPR. You can find out what other legislation the ICO enforces from their website.
Guidance On Data Protection: The Government’s website offers some guidance on data protection, giving you information on what rights you have when it comes to the protection of your personal data.
What Personal Data Can My Employer Keep?: If you’re worried about what personal information your employer has on you, you can find out from this link what data your employer can keep.
Claiming For Stress: Stress could be one of the consequences of a data breach. You can read about stress compensation by visiting this link.
Psychological Injuries Because Of Data Breaches: Our guide can help if you’d like more information on claiming because you’ve suffered psychologically due to a data breach.
Will There Be Problems If I Sue My Employer?: Some employees might worry that suing their employer could cause them problems at work. This guide could help allay your concerns.
Thank you for reading our guide to GDPR data breach compensation claims.
Guide by JJ
Edited by RV