Millions of UK residents have had their personal data exposed in breaches over the past decade — from the British Airways cyberattack in 2018 to the Capita breach in 2023 that affected pension fund members and local authority employees. If your data was involved in a breach, you may be entitled to compensation under UK GDPR Article 82. You do not need to prove financial loss to make a claim.
The legal right to compensation
Article 82 of UK GDPR gives any individual the right to receive compensation from a data controller or processor for damage suffered as a result of a data protection infringement. The key word is "damage" — which UK courts have interpreted to include both material damage (financial losses) and non-material damage (distress, anxiety, loss of control over your personal information).
The landmark case that established non-material damage as a standalone basis for a claim was Vidal-Hall v Google [2015], in which the Court of Appeal confirmed that distress alone — without any financial loss — is sufficient to bring a compensation claim under UK data protection law. This opened the door to the wave of individual and class-action claims that has followed.
Who can claim?
You can make a data breach compensation claim if:
- A UK organisation (or one processing UK residents' data) suffered a breach
- Your personal data was involved in that breach
- You suffered damage as a result — either financial loss, distress, or both
- The breach was caused by the organisation's failure to comply with UK GDPR
You do not need to be a customer of the organisation. Employees, former employees, job applicants, pension scheme members, and patients all have the same rights.
What counts as damage?
Non-material damage (distress)
UK courts and settled claims recognise the following as non-material damage:
- Anxiety and worry about how your data may be used
- Fear of identity theft or fraud
- Sleep disruption caused by concerns about the breach
- Embarrassment or loss of dignity (particularly relevant for health or sensitive data)
- Loss of trust and confidence in the organisation
- Psychological harm where the breach is severe
Material damage (financial losses)
These are recoverable in addition to distress compensation:
- Actual fraud losses — money taken from bank accounts or fraudulent transactions
- Costs of credit monitoring or identity protection services
- Time and expense dealing with the aftermath of identity theft
- Lost earnings if the breach affected your employment
- Professional fees (solicitors, credit agencies) incurred as a result of the breach
How much compensation can you claim?
Compensation amounts in UK data breach cases vary significantly depending on the type of data involved, the severity of distress suffered, and whether the data was used to commit fraud. Based on reported UK settlements and case outcomes:
| Scenario | Typical range |
|---|---|
| Contact details exposed, minor distress | £750 – £3,000 |
| Financial data exposed, no fraud occurred | £2,000 – £8,000 |
| Health or medical data exposed | £5,000 – £20,000 |
| Data used for identity theft or fraud | £5,000 – £30,000 + financial losses |
| Severe and lasting psychological impact | £15,000 – £35,000+ |
These are indicative ranges. Actual awards depend on the strength of evidence, the specific circumstances, and whether the claim is settled or decided by a court.
Notable UK data breach compensation cases
British Airways — settled 2021
Following the 2018 cyberattack that exposed personal and payment card data of approximately 420,000 customers, British Airways settled a class action claim brought by law firm PGMBM. The settlement amount was not publicly disclosed, but it was described as "substantial". The ICO had separately fined BA £20 million for the same breach.
Marriott International — settled 2022
Marriott faced both regulatory fines (£18.4 million from the ICO) and civil litigation following the Starwood database breach affecting 339 million guest records globally. UK claimants pursued compensation through no-win-no-fee arrangements.
WM Morrison Supermarkets — Court of Appeal 2020
An employee deliberately leaked the payroll data of nearly 100,000 colleagues. The Supreme Court ultimately ruled Morrisons was not vicariously liable for the deliberate act of a rogue employee acting outside the scope of employment — but the case established important principles about employer data breach liability.
How to make a claim: step by step
Step 1 — Confirm the breach
Contact the organisation directly and ask them to confirm whether your data was involved in a breach. Under UK GDPR, they must respond to your request within one month. You can also check news coverage, the ICO's enforcement register, or use haveibeenpwned.com.
Step 2 — File an ICO complaint
Submit a complaint to the Information Commissioner's Office at ico.org.uk. This is free and creates a formal record. The ICO cannot award you compensation, but its findings are powerful evidence in legal proceedings.
Step 3 — Document your damage
Keep a written diary of how the breach has affected you. Note anxiety, sleep problems, changes in behaviour, and any impact on work or relationships. If you have sought medical help, keep records. For financial losses, collect bank statements, receipts, and correspondence.
Step 4 — Consider legal representation
For claims above approximately £2,000, instructing a specialist data protection solicitor on a no-win-no-fee basis typically results in higher settlements than self-representing. The solicitor will take a percentage of the award if successful (usually 25–35%).
Step 5 — Court or settlement
Most data breach claims settle before reaching court. Organisations generally prefer to avoid litigation and the associated publicity. For smaller claims, the County Court small claims track (up to £10,000) can be used without a solicitor.
Should you use a no-win-no-fee solicitor?
For straightforward smaller claims (under £2,000), you may be able to negotiate directly with the organisation or use the ICO complaints process. For anything more significant — particularly involving health data, financial fraud, or lasting psychological impact — specialist legal advice is valuable. Many data protection law firms offer free initial consultations.
Be cautious of claims management companies that charge upfront fees or take very high percentages. Look for SRA-regulated solicitors who specialise in data protection claims.