How To Claim Data Breach Distress Compensation

By Jo Jeffries. Last Updated 18th September 2023. Welcome to this guide to data breach distress compensation. 

This guide explains what you may need to know if you’re looking to make a data breach claim and the role of the Information Commissioner’s Office in data protection regulation of GDPR as well as how they could help with the misuse of private information.

We could offer a free eligibility check on your case, and if we believe you could make a successful claim, connect you with a lawyer. The lawyer could take on your claim on a No Win No Fee basis. You can reach the Accident Claims UK team on 0800 073 8801.

Select A Section

What Are Breaches Of Personal Data?

Unfortunately, with the advancements in technology and much of our private data being stored by many different entities such as the NHS, government, public and private businesses, there comes a risk of that data being breached. Data could include your email address and date of birth or sensitive information such as your bank account details.

According to the Government’s Cyber Security Breaches Survey 2020, 46% of businesses and 26% of charities reported suffering cyber attacks or data security breaches within the 12 months leading up to the survey. 68% of medium and 75% of large businesses reported breaches or attacks. 57% of high-income charities reported them too.

How Should My Data Be Protected?

Your data was previously protected under the Data Protection Act 1998 (DPA), which has now been updated to the Data Protection Act 2018. This brings it into line with the EU GDPR, the General Data Protection Regulation.

What Is A Data Breach?

The GDPR is an EU-created law which protects the personal data of any EU citizen. It was brought into force in 2018, and the UK’s Data Protection Act 2018 was updated to include the UK’s application of GDPR.

A GDPR data breach, therefore, is a breach of the security and or integrity of EU citizens’ data. It does not matter where the data breach occurs, and even whether it happens in the EU. All countries across the world must protect EU citizen data. If a data controller wrongfully breaches your data, exposing it, and causing you harm as a result, you could be eligible to claim compensation. 

To learn more about GDPR and how a data breach could happen, read on. If you would like to check your eligibility to claim, please contact an advisor.

Data Breach Claims – Understanding The Eligibility To Make A Data Breach Claim

The Data Protection Act 2018 and the UK General Data Protection Regulation set out the responsibilities a data controller and data processor have to protect your personal data. A failure to do so is a breach of data protection law. However, not all instances of this will form the basis of a valid data breach claim.

To seek data breach compensation, you need to prove:

  • A data controller or processor failed to adhere to data protection law.
  • Their failings caused your personal data to be breached.
  • You experienced financial loss or psychological harm as a result.

To discuss the data breach claims process as well as your eligibility to claim, you can call the helpline. An advisor will be able to talk to you about your case.

What Is Distress In Data Breach Claims?

The consequences of data breaches could be significant. Whether it has been financial data, medical data or personal information that has been breached, it could have an impact on your mental health. You could suffer anxiety or depression, for example.

Data breach distress, put simply, is anxiety and emotional stress due to a data breach. For example, you may suffer because of someone using your personal data in an unauthorised way due to them having access to it. You may suffer because your private personal information is now in the public domain. A breach that leads to the theft of your bank details could have a significant effect on your finances and mental health.

In order for you to make a data breach emotional distress claim, you would have to prove that:

  • Your data has been breached.
  • You have suffered upset and distress as a direct result of the breach.

Data Breach Cases

In one case (TLT v Secretary of State for the Home Department. Reference [2016]), damages were awarded to some victims whose mental health suffered after their data was subject to a breach. Thousands of asylum and leave to remain applicants had their personal data published on the Home Office’s website in error.

Previously, you could only claim compensation for a breach of data that caused you financial loss. However, a landmark case (Vidal-Hall vs Google) which was heard at the Court of Appeal in 2015 led to a settlement being agreed for compensation for loss of dignity, distress and anxiety caused by a data breach.

Now, if you can prove you have a valid claim, you could claim for either financial loss or mental suffering or both because of a data breach.

If you believe you have suffered anxiety or cyber stress due to a data breach, and you would like to have your case assessed for free to see if you could be eligible for compensation, Accident Claims could help. If our opinion is that you could have a valid claim, we could then connect you with a professional lawyer. They could begin your claim for data breach distress and get you the compensation you deserve.

Causes Of Breaches In Data Protection

Your personal information may be held by different entities in a variety of ways. There are also various ways in which it could be breached. Some causes of a breach could include:

  • A hack: This is where someone gains unauthorised access to a computer system.
  • A virus: This inserts its own code into computer programs, effectively infecting them with code.
  • Cyber attacks: This is where a malicious attack is launched by cyber criminals. Attackers could intend to steal data, cause a loss of data or use the attacked computer systems as launch points for further attacks, for example.
  • Human error: If someone has accidentally sent a file with your personal data, for example. This can also happen with physical documents.

Data breaches do not only have to be online. For example, an employer may send your salary details in a letter to a colleague in error.

All of these causes could lead to GDPR breaches, leaks and losses of data, or data being sent to a third party.

How Else Could Data Breaches Impact Someone?

While this guide concentrates largely on data breach distress, there are other ways in which data breaches could impact a person. These could include:

  • Accessing your accounts: If a cyber criminal is able to access certain data, they may be able to gain access to your financial accounts. Data theft could lead to spending in your name, or even emptying your bank account.
  • Identity theft: Not only could stolen data be used to access your financial accounts, but it could also be used to set up new ones. Criminals could use stolen data to apply for financial products in your name and commit fraud in your name.
  • Selling of your data: Your data could be sold to a third party without your knowledge

If a breach of your data has led to financial harm, you could claim compensation for it, as well as claiming compensation for distress from the data breach.

Complaining To The ICO About Distress And Data Breaches

The ICO has given instructions as to how you could complain about a data breach that has caused you emotional distress. They advise affected parties to:

Approach the organisation that is responsible for breaching your data. The ICO advise you to do this quickly, ensure you send it to the right address, and be specific. You could ask them to investigate and you should also explain how the breach has affected you. If the experience has been stressful and you have been left distressed by it, you should mention this.

If you do not receive an adequate response, or the organisation doesn’t respond at all, as a last resort you could register a complaint with the ICO. The ICO would not usually investigate data breach concerns where an undue delay has occurred in bringing your concerns to the ICO’s attention. Therefore, you should contact the ICO before 3 months has passed since there has been any final contact from the data controller or processor you’ve contacted.

If you’re concerned that any time limits have passed or you haven’t raised the issue in the right way, get in touch for free legal advice from our advisors.

Data Breach Compensation – Emotional Distress Compensation

You may be wondering how compensation for a data breach is calculated. Your claim may include two heads. You could be compensated for your material damage, which we examine later. You could also potentially claim emotional distress compensation as non-material damage.

As we mentioned earlier in this guide, under the Data Protection Act, damages for distress or a psychological injury could potentially be claimed. If you suffered harm to your mental health as a direct result of your personal data’s inclusion in a breach, you might qualify for this.

The Judicial College Guidelines (JCG) can be used by legal professionals to help when assigning value to non-material damage. This is a document that provides compensation brackets for various injuries.

Our table below contains examples of psychiatric injuries from the latest edition of the JCG. As claims are assessed on an individual basis, we have only provided it as a guide.

JCG Payout Examples

Injury Compensation Bracket Notes
PTSD (a) £59,860 to £100,670 Severe – permanently affecting the claimant, who would not be able to work or function on a pre-trauma level. This would affect all aspects of the person’s life.
PTSD (b) £23,150 to £59,860 Moderately Severe – better prognosis than in the category above, but with significant disabilities that could last for the foreseeable future.
PTSD (c) £8,180 to £23,150 Moderate – the injured party would have largely recovered but any continuing symptoms wouldn’t be disabling grossly.
PTSD (d) £3,950 to £8,180 Less severe – where the injured party would have made a virtually full recovery within 1–2 years.
Psychiatric Damage Generally (a) £54,830 to £115,730 Severe – leading to marked effects with regards to their ability to cope with education, work and life and on their relationships. Could leave them vulnerable to risk in the future. The prognosis would be very poor.
Psychiatric Damage Generally (b) £19,070 to £54,830 Moderately severe – significant effects as per the above bracket but with a more optimistic prognosis.
Psychiatric Damage Generally (c) £5,860 to £19,070 Moderate – with the kind of problems associated with more severe damage, but there will have been a significant improvement and a good prognosis.
Psychiatric Damage Generally (d) £1,540 to £5,860 Less severe – the level of the effects on the person’s sleep and daily activities would be taken into account, and the length of time the person has suffered.
Reputation damage Call for more information Call for more information
Loss of income Call for more information Call for more information

Call our expert advisors for more information about non-material damage. They can provide a free estimation of your data breach compensation. If your claim seems like it has a chance of success, they could put you in touch with our No Win No Fee data breach solicitors.

GDPR Compensation For Distress – What Could I Claim?

As we have mentioned, it could be possible to sue for emotional distress in the UK if you’re eligible to make a data breach claim.

Generally, there are two heads of claim. These are known as material damage and non-material damage. You can receive compensation for material damage for the financial losses you have experienced as a result of the personal data breach. You can receive compensation for non-material damage for the psychological harm you have experienced as a result of the personal data breach. This can include emotional distress compensation.

If you’re still wondering if after a breach of the UK GDPR, compensation for distress can be awarded to you, please get in touch on the number above.

What else could I include in a data breach claim?

You could also receive compensation for material damage. As mentioned, this relates to the financial losses incurred due to the personal data breach. For example, you may have had your bank account details stolen leading to someone taking loans out in your name. You will need evidence of these losses, such as bank statements.

To learn more about claiming emotional distress compensation, get in touch using the number above.

Data Breach Distress Compensation – No Win No Fee Legal Help

After suffering psychological harm following a breach of the Data Protection Act, distress compensation might be owed to you. If you wish to work with solicitors but are worried about the potential financial risks involved, we may have a solution for you.

A No Win No Fee agreement could mean that if your claim fails, you don’t pay your solicitor for their work.

However, if your claim succeeds, they deduct a success fee from your data breach distress compensation; this fee is capped under the Conditional Fee Agreements Order 2013.

Generally, you won’t be required to pay an upfront fee either. And you may not be expected to cover costs during the process of claiming UK GDPR compensation for distress.

Get in touch to find out your eligibility to claim data breach compensation Our advisors are available 24/7 and offer free consultations.

Begin Your Claim

Finally, do you want to see if you qualify to claim? Or do you have questions surrounding the claims process or how long you could have to claim? Perhaps you’re not sure whether you could be eligible to make a claim. Whatever you need in terms of help and support, we’re here. You can contact us in a number of ways, including:

Essential References On Claiming Data Breach Distress Compensation

Our Commitment To Client Care: You can read more about how Accident Claims UK put you first at all times during the claims process.

Learn More About Psychological Injuries: Here, we explore psychological injuries in more detail. You might find this useful if you wish to make a claim for a psychological injury.

Post-Traumatic Stress: This guide could be of use to you if you have suffered PTSD. It gives an explanation of how PTSD could affect you and how much you could claim.

Government Information On Data Protection: You can read more about data protection on the government’s website.

A Guide To Compensation From The ICO: This page on the ICO website offers some insight into how to claim compensation for a data breach.

Government Guidance On Personal Data After Brexit: This sets out the guidelines for personal data after the transition period when the UK leaves the EU.

What Happens If An Employee Breaches GDPR? –  Here, you’ll read about employee breaches. However, if you think you have a claim, why not call us.

Data Breach Distress Claim FAQs

Data Breach Distress – Compensation Claim Time Limits 

As well as asking can I get compensation for a data breach, you might want to know how long you’d have to claim following a breach of the UK GDPR. Compensation for distress and financial losses could be claimed if your personal data is compromised due to an organisations failings. However, you would need to prove you sustained psychological harm or financial loss.

When starting a claim for data breach distress compensation, you generally have 6 years. This is reduced to 1 year if the claim is against a public body. Call us for more information.

What are the causes of data breaches?

According to the ICO’s figures for Q1 2021/22 for data breaches reported to them, there were a total of 2,552 data security incidents. Some of them were cyber security-related while others were non-cyber security breaches. You can see the reasons for these breaches in the graph that follows.

data breach distress claim statistics graph

As you can see from the above, the highest number of incidents were unrelated to cyber security incidents. Plus, the second highest incidence was where data was incorrectly e-mailed to an unauthorised recipient. If you have provided the correct e-mail address to an organisation, they should be able to send your data to you correctly. However, sometimes things could go wrong. Depending on the type of data that was on the e-mail, this could cause significant distress.

For example, if your bank details were sent to someone else, this could be very stressful. Here, you might worry that the recipient would be able to access your account. If it was medical information, you might fear that someone would know personal information that you didn’t want to share. If your employer sent details of your disciplinary record, this could lead to reputational damage. All of these incidents could cause data breach distress.

Can I claim against an employer for data breach distress?

If your employer was at fault for your data being breached and did something wrong, this could lead to you being able to claim compensation from them. You could claim for the financial impact of a data breach as well as emotional harm, such as distress.

How much compensation for data breach distress may be offered – should I take the first offer?

Have you been offered settlement when making a claim for a data breach? But, what happens if you you don’t feel like it is appropriate enough to compensate you for your suffering? If this is the case, you could opt to dispute it. However, we would advise you to seek legal advice when it comes to how much compensation for data breach distress may be offered. Your solicitor could give you some advice on whether you might want to take an offer. Furthermore, they could explain whether you could potentially make an attempt for a higher settlement. The decision in such cases would ultimately be yours, but getting professional advice could be beneficial.

What evidence would I need to claim for a data breach that caused a psychological injury?

The evidence you’d need when making a claim for a data breach which caused psychological injuries could include:

  • Evidence of the data breach incident, such as communication between you and the organisation 
  • Proof of wrongful conduct on the part of a liable party, such as findings from an ICO investigation
  • Evidence of the harm you’ve suffered, showing that it was caused by the breach, such as medical records

An independent medical expert may need to conduct a psychological evaluation if you intend to make data breach claims for psychological injuries. They could provide you with a report on your psychological injury, which you could use in evidence. 

How do I evidence a claim for data breach distress compensation?

Various pieces of evidence could help your claim for data breach distress compensation. Data breach claims require evidence that a breach occurred due to wrongdoing or negligence, and that you were harmed by it. Useful evidence could include: 

  • Any documentation between you and the organisation that breached your data. This could include any correspondence about the breach. 
  • Medical evidence. In some cases, you may need to attend an independent medical assessment to produce a report on severe cases of psychological injuries. This could be used to evidence your claim.
  • Evidence of any financial implications of the data breach. A settlement for a breach of the Data Protection Act could include damages for distress. However, it could also include damages for financial harm you’ve suffered because of a breach. Therefore, bank statements, credit card bills and other financial documentation could help with this.

Now, if you’re concerned about evidencing your data breach claim, we’d be happy to talk to you. We could ask you some questions about the evidence you have. Furthermore, we can give you our honest view of whether it could help to prove your claim.

I have more questions about the Data Protection Act and damages for distress – where can I get help?

Our team are available to offer help and support to those looking to make data breach claims. Furthermore, you can call us at any time to discuss your case.

Finally, thank you for reading our guide to making a data breach distress compensation claim. In conclusion, please call us if you believe you have a claim.