Can I claim compensation for a data breach in the UK?

Yes. Under Article 82 of UK GDPR and the Data Protection Act 2018, you have the right to claim compensation if an organisation has violated UK GDPR and you have suffered material damage (financial loss) or non-material damage (distress, anxiety, loss of control over your data). You do not need to have suffered financial loss — distress alone can support a claim.

How much can I claim for a data breach?

Data breach compensation amounts vary significantly. For distress-only cases (no financial loss), courts have typically awarded £500–£3,000. Where financial loss resulted from the breach, amounts can be considerably higher. High-profile group litigation cases (such as British Airways and Marriott) settled for hundreds of pounds per claimant. The Supreme Court ruling in Lloyd v Google [2021] clarified that 'mere unlawful processing' alone is not enough — you need to show some specific harm.

What is the time limit for a data breach claim?

In England and Wales, you have 6 years to bring a claim for breach of statutory duty under Article 82 UK GDPR (or 1 year for Human Rights Act claims). In Scotland, the limit is 5 years. The clock starts from when the breach occurred or when you first became aware of it. The ICO must be notified of serious breaches within 72 hours of the organisation discovering them.

Do I need to complain to the ICO first?

No. You can go straight to the courts without first complaining to the ICO. However, an ICO investigation can be useful evidence in your claim — it establishes that a breach occurred and may identify the organisation's culpability. An ICO complaint is free and the ICO may take regulatory action (including fines) against the organisation, which can support your civil claim.

Data Breach Compensation Claims UK 2025 — Free Calculator

Quick answer — Article 82 UK GDPR

Can I claim compensation for a data breach?

Yes, if an organisation violated UK GDPR and you suffered material damage (financial loss, identity theft) or non-material damage (distress, anxiety, loss of control over personal data). Following Lloyd v Google [2021], you need to show some specific harm — but that harm can be psychological distress alone, without any financial loss. Courts have awarded £500–£3,000+ for distress in cases involving medical, financial, or highly sensitive data.

🛡️ No financial loss required✓ 6-year window📋 ICO complaint free

Free estimator

Data Breach Compensation Estimator

Select the type of data breached and the impact on you to estimate a potential compensation range. Data breach amounts are assessed case-by-case, but these ranges reflect recent UK court awards and group litigation settlements.

🛡️

Data Breach Compensation Estimator

Based on UK court precedents and ICO enforcement data

What type of data was involved in the breach?

🏥

Medical / Health

£750–£5,000+

💳

Financial / Banking

£500–£3,500

👔

Employer / HR

£500–£3,000

🪪

Identity / Passport

£750–£4,000

🛒

Retail / Email

£150–£1,000

🔒

Sensitive (sexual, religion, political)

£1,500–£8,000+

How severe was the impact on you?

Financial loss (if any)

Fraud, identity theft, etc. arising from the breach

How long ago was the breach?

ℹ️

Distress must be evidencedCourts require some evidence of distress — a witness statement describing how the breach affected you, GP records, or evidence of changes in behaviour. Straightforward statements of anxiety are sufficient for lower-band awards. Psychological evidence strengthens claims for awards above £1,500.

Estimates based on UK county court judgments and group litigation settlements 2019–2024. Not legal advice. Actual awards determined by courts on the specific facts.

Legal framework

Your legal rights after a data breach

Article 82 UK GDPR

The primary right to compensation for material or non-material damage resulting from a UK GDPR infringement by a controller or processor. No fault required — the organisation must prove it bears no responsibility.

Lloyd v Google [2021] UKSC

The Supreme Court confirmed you need specific harm — but also confirmed distress and loss of control over data qualifies. It ruled out "mere unlawful processing" without some identifiable damage.

ICO complaints

You can complain to the Information Commissioner's Office for free. The ICO can investigate, issue enforcement notices, and fine organisations — potentially strengthening your civil claim with its findings.

Group/collective actions

Many data breaches affect thousands of people. Group litigation orders (GLOs) are common — BA, Marriott, TalkTalk, and others have faced group actions. Joining is typically no win, no fee.

Breach sectors

Most common data breach types and typical payouts

Breach typeTypical claimKey evidenceGroup action?

NHS / medical records£750–£5,000ICO report, breach notification letterYes — active

Financial services data£500–£3,500FCA/ICO action, fraud evidenceYes

Employer HR / payroll£500–£3,000Breach notification, distress evidenceCase by case

Retail / loyalty scheme£150–£1,000Breach notification emailYes

Sensitive personal data£1,500–£8,000+Data category evidence, distressCase by case

Social services / child data£3,000–£15,000+LA records, expert evidenceIndividual

Step-by-step

How to make a data breach compensation claim

Confirm the breach happened and you were affected

Look for a breach notification letter or email from the organisation. Check the ICO's enforcement and decision register. Search for news coverage of the incident. If unsure, submit a Subject Access Request to the organisation — they must respond within 30 days.

Document your distress and any financial impact

Write a personal statement describing how the breach affected you: anxiety about your data being misused, time spent dealing with the fallout, any changes to your credit file, fraudulent activity, or distress from medical information being shared. Keep GP records if relevant.

Complain to the ICO (optional but useful)

An ICO investigation is free and, if the ICO upholds your complaint, this is powerful evidence in your civil claim. Report online at ico.org.uk. The ICO aims to respond within 3 months.

Write a Letter of Claim to the organisation

A formal letter setting out the breach, the damage you suffered, and the compensation you're seeking. Organisations often prefer to settle rather than litigate. Many solicitors handle this on a no win, no fee basis.

Proceed to court if necessary

County court proceedings for data breach claims under £10,000 go through the Small Claims track. For larger claims, specialist data protection solicitors handle group actions or multi-track cases.

FAQs

Data breach claims — frequently asked questions

I received a data breach notification — does that mean I can claim?+

A breach notification is a strong starting point but doesn't automatically mean you have a claim. You need to show: (1) the organisation actually violated UK GDPR — not all notified breaches involve a GDPR breach; (2) you suffered harm as a result — distress, worry, or financial loss. Many people who receive breach notifications have valid claims but don't realise it.

Do I need to have suffered identity theft or fraud to claim?+

No. You do not need to have suffered actual identity theft or financial fraud to claim. Non-material damage — including distress, anxiety, loss of sleep, and loss of control over your personal data — is sufficient under Article 82 UK GDPR. However, you do need to evidence some specific harm. The more sensitive the data (medical, financial, HR, identity), and the more widespread the breach, the stronger the distress case.

What if I was notified of a breach 3 years ago?+

You may still be within the 6-year limitation period. A breach notification letter from 3 years ago would mean you still have until approximately 3 years from now to bring a claim. Act promptly — evidence is easier to gather sooner, the ICO's records are more readily available, and organisations are more cooperative within a few years of the breach.

Can I join a group action for a major breach (e.g. British Airways, NHS)?+

Many large data breaches have active or completed group litigation. British Airways settled a group action; the NHS has faced multiple GLOs. To join, you typically register with a firm running the group action — they'll contact you about the claim. Joining a group action is usually no win, no fee and requires minimal involvement on your part.

Related guides

Related data protection and financial claim guides

Disclaimer: Estimates are based on UK court precedents. Actual awards depend on the nature of the breach, evidence of harm, and judicial discretion. Following Lloyd v Google, "mere unlawful processing" alone is insufficient — some specific harm must be shown. Not legal advice. Always consult a qualified data protection solicitor.

Your data was leaked — you may be entitled to compensation

Data Breach Compensation Estimator

Data Breach Compensation Estimator

Your legal rights after a data breach

Article 82 UK GDPR

Lloyd v Google [2021] UKSC

ICO complaints

Group/collective actions

Most common data breach types and typical payouts

How to make a data breach compensation claim

Confirm the breach happened and you were affected

Document your distress and any financial impact

Complain to the ICO (optional but useful)

Write a Letter of Claim to the organisation

Proceed to court if necessary

Data breach claims — frequently asked questions

Related data protection and financial claim guides