- Under UK GDPR and the Data Protection Act 2018, you have the right to claim compensation from an organisation that suffers a data breach if you have experienced material or non-material damage.
- The Information Commissioner's Office (ICO) investigates data breaches and can issue fines to organisations - but the ICO does not award compensation to individuals directly.
- To claim compensation, you must first contact the organisation directly, then escalate to the courts if the organisation refuses.
- Group litigation orders allow multiple affected individuals to bring a collective claim, as seen in several high-profile UK data breach cases.
Last reviewed: 28 June 2026
If your personal data has been compromised in a UK data breach, you have the right to complain to the ICO and to seek compensation from the responsible organisation through the courts. The ICO cannot award you compensation directly but its findings can support a civil claim.
| KEY FACTS - Data Breach Rights UK | |
|---|---|
| Legal framework | UK GDPR + Data Protection Act 2018 |
| Regulator | Information Commissioner's Office (ICO) |
| ICO maximum fine (large org) | £17.5m or 4% of global annual turnover (whichever higher) |
| ICO complaint timeframe | Raise with organisation first; ICO after 3 months |
| Compensation route | Civil courts - ICO does not award individual compensation |
Your Rights Under UK GDPR After a Data Breach
Under Article 82 of UK GDPR, any person who has suffered material or non-material damage as a result of an infringement of data protection law has the right to claim compensation from the data controller or processor responsible.
Material damage includes financial losses directly caused by the breach - for example, fraudulent transactions on a bank account compromised by a credential leak. Non-material damage includes distress, anxiety and loss of privacy, even without financial loss. Courts in England and Wales have awarded compensation for non-material damage in data breach cases following the Supreme Court ruling in Lloyd v Google LLC [2021].
How to Complain to the ICO
The ICO is the UK's independent data protection regulator. To raise a complaint about a data breach:
- Step 1: Contact the organisation directly. UK GDPR requires organisations to respond to data subject complaints within one month. Keep a record of your communication and the date.
- Step 2: If you are unsatisfied with the response, or the organisation does not respond within three months, you can submit a complaint to the ICO at ico.org.uk/make-a-complaint.
- Step 3: The ICO investigates and can issue enforcement notices and fines to the organisation. It publishes its decisions on its website.
The ICO does not award compensation to individuals. Its role is regulatory enforcement. A favourable ICO finding can, however, support a civil compensation claim.
How to Claim Compensation
Compensation claims for data breaches are handled by the civil courts in England and Wales (or the Sheriff Court in Scotland). The process is:
- Write a formal letter of claim to the organisation setting out the breach, your losses and the compensation sought.
- If the organisation refuses or does not respond, file a claim through the county court (claims up to £10,000 go through the small claims track).
- For larger or more complex claims, specialist data protection solicitors can advise on prospects and funding options including conditional fee agreements (no-win, no-fee).
Several data protection law firms operate on a no-win, no-fee basis for data breach claims, particularly for larger breaches affecting thousands of individuals.
Group Litigation and Class Actions
Where a breach affects a large number of individuals, a group litigation order (GLO) allows multiple claimants to bring their cases together. This has occurred in several notable UK data breach cases involving supermarkets, healthcare providers and government contractors.
The Supreme Court's 2021 decision in Lloyd v Google LLC narrowed the scope for opt-out class actions in data cases under the representative procedure, but opt-in group claims under GLOs remain available.
ICO Registration and What It Means
Most organisations that process personal data in the UK must register with the ICO and pay an annual data protection fee. ICO registration does not guarantee data security - it is an administrative requirement confirming the organisation's processing activities. You can check whether an organisation is registered on the ICO's public register at ico.org.uk/esdwebpages/search.
Frequently Asked Questions
Can I claim compensation if I have not suffered financial loss?
Yes. UK GDPR provides for compensation for non-material damage, which includes distress and loss of control over your personal data. Courts assess the level of distress on a case-by-case basis. Amounts awarded for non-material damage in UK cases have typically ranged from a few hundred to a few thousand pounds depending on severity and circumstances.
How long do I have to make a claim?
The limitation period for data breach claims in England and Wales is generally six years under the Limitation Act 1980. The clock typically starts from the date you became aware of the breach, or reasonably should have become aware of it. Specialist legal advice is advisable on limitation in complex cases.
What should I do immediately after learning of a data breach?
Change passwords for affected accounts immediately. Enable two-factor authentication where available. Monitor your bank and credit accounts for unusual activity. Register with a credit reference agency alert service if your financial data may have been exposed. Keep all correspondence from the breached organisation as evidence.
Does the ICO always investigate my complaint?
The ICO prioritises complaints based on the severity of the breach and the public interest. It does not investigate every complaint individually. Where it declines to investigate, it will notify you and you retain the right to pursue a civil claim independently.
