Your Personal Data Has Been Leaked
An organisation has suffered a data breach and your personal data has been exposed. This page explains your rights to compensation under UK GDPR Article 82, the ICO complaint route, and how to pursue a claim through the courts.
Quick Answer
UK GDPR Article 82 gives you the right to compensation from any controller or processor responsible for a breach that caused you material or non-material damage. You can complain to the ICO (free) or bring a court claim (county court or High Court). For major breaches affecting many people, a representative action or group claim may also be available.
Full Explanation
A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under the UK GDPR (which retains the EU GDPR structure post-Brexit, incorporated into domestic law by the Data Protection Act 2018), controllers must notify the ICO of certain breaches within 72 hours of becoming aware of them (Article 33 UK GDPR), and must notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34).
Article 82 of the UK GDPR provides a right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the Regulation. Material damage includes direct financial loss. Non-material damage includes distress, anxiety, and loss of control over personal information. The Supreme Court in Lloyd v Google LLC [2021] UKSC 50 held that mere loss of control over data โ without proof of individual damage โ is not sufficient to found a claim in England and Wales, but subsequent cases have established that distress claims remain viable where actual distress is proven.
The ICO can investigate data breaches and take enforcement action against controllers (reprimand, enforcement notice, or a fine up to ยฃ17.5 million or 4% of global turnover). However, the ICO does not award compensation to individuals โ it is a regulator, not a compensation scheme. For compensation, you must pursue a civil claim through the courts.
A county court claim under Article 82 is brought as a personal data claim. For claims up to ยฃ10,000, the small claims track applies. Evidence required: confirmation of the breach (the controller's notification to you or ICO reports), evidence of the information leaked, and evidence of the damage suffered (financial records, medical evidence of distress, evidence of identity fraud). Controllers have a defence if they prove they are not in any way responsible for the event giving rise to the damage.
For large multi-party breaches, a representative action under CPR Rule 19.8 may allow a lead claimant to represent a class of affected individuals. Specialist data breach litigation firms often take these cases on a no-win no-fee basis.
Legal Basis
- ยงUK GDPR, Article 82 โ Creates the right to compensation for material or non-material damage caused by a UK GDPR infringement by a controller or processor.
- ยงData Protection Act 2018 โ Implements the UK GDPR in domestic law, supplements it, and establishes the ICO as the supervisory authority.
- ยงLloyd v Google LLC [2021] UKSC 50 โ Supreme Court authority establishing that loss of control over data alone, without individual proof of damage, is insufficient for a representative claim in England and Wales.
What To Do
Confirm the Breach With the Data Controller
Contact the organisation that suffered the breach. They must tell you what data was affected, how it was exposed, and what steps they are taking. If you have not received a notification, make a subject access request (SAR) under UK GDPR Article 15 to understand what data they hold and whether it has been compromised.
Document the Impact
Keep a record of all financial losses (identity fraud, credit damage, costs of mitigating the breach), distress (diary entries, GP records, evidence of anxiety or loss of sleep), and any other adverse consequences. This evidence is essential for a compensation claim under Article 82.
Claim Compensation Under Article 82
Write a letter of claim to the organisation setting out the breach, the data involved, the damage suffered, and a compensation figure. Many organisations will settle Article 82 claims without litigation โ especially for large breaches. Give them 30 days to respond before issuing proceedings.
File an ICO Complaint If No Satisfactory Response
If the organisation does not respond adequately, file a complaint with the ICO at ico.org.uk. The ICO will investigate and can issue enforcement notices and fines. An ICO finding against the organisation will strengthen your civil claim. You must generally exhaust the organisation's own complaint procedure first.
Consider a Court Claim
If the letter of claim does not produce a satisfactory settlement, issue proceedings in the county court. For claims under ยฃ10,000, use the small claims track (no costs risk). Instruct a solicitor for larger claims, particularly if you are part of a group breach where a class action may be more appropriate.
Important Deadlines
Important Warnings
The six-year limitation period for data protection claims runs from the date you knew or ought to have known about the breach โ not from the breach itself.
Check your credit file immediately after a breach involving financial or identity data. Register for fraud alerts and consider a CIFAS protective registration if there is a risk of identity fraud.
The ICO cannot award you compensation. Its role is regulatory enforcement. If you want financial compensation, you must pursue a civil claim โ ICO complaints and civil claims run in parallel.