GovernStack
Compliance6 July 2026·7 min read

What Happens After a Data Breach: Your Step-by-Step Guide

You have been notified that your personal data was involved in a breach. What should you do next? This step-by-step guide covers immediate actions, how to protect yourself, when to complain to the ICO, and how to claim compensation.

You have received a letter, email, or notification telling you that your personal data was involved in a security breach. Perhaps a company you used was hacked. Perhaps your employer accidentally sent your details to the wrong person. Perhaps you discovered it yourself on haveibeenpwned.com. Whatever the source, the immediate question is always the same: what should you do now?

This guide walks through the steps in order — from immediate protective actions through to compensation claims. Not every step will apply to every breach, but following this sequence ensures you cover your bases.

Step 1: understand what was exposed

Before doing anything else, establish exactly what data was compromised. The breach notification should tell you this, but it is often vague. Contact the organisation directly and ask:

  • Exactly which categories of your data were affected (name, email, phone, address, bank details, passport, health data, passwords)?
  • Was the data encrypted or was it accessible in plain text?
  • Has the data been confirmed as accessed by an unauthorised party, or is it a precautionary notification?
  • What date did the breach occur, and when was it discovered?

The answers determine the severity of the situation and which of the remaining steps are most urgent.

Step 2: change passwords immediately

If login credentials were exposed — or if you used the same password on the breached service as you use elsewhere — change those passwords now. Prioritise:

  • The breached service itself
  • Your primary email account (because most other accounts can be reset via email)
  • Banking and financial services
  • Any other service where you reused the same password

Use unique, 16+ character passwords for each service. A password manager (Bitwarden, 1Password, Dashlane) is the only practical way to manage this. If you do not already use one, now is the time to start. Check how strong your new passwords are with the Password Strength Checker.

Step 3: enable multi-factor authentication

Even with a strong password, a compromised credential can be used if there is no second factor protecting the account. Enable MFA on every account that supports it — especially email, banking, and social media. Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS where possible, because SMS-based codes can be intercepted through SIM-swapping attacks.

Step 4: monitor for fraud

If financial data was exposed (bank details, credit card numbers, NI number), set up active monitoring:

  • Check bank and credit card statements daily for the first month, then weekly for six months. Look for any transactions you do not recognise, no matter how small — fraudsters often test with small amounts first
  • Check your credit file — free services like ClearScore, Credit Karma, and Experian offer credit monitoring and alerts. Look for credit applications you did not make, addresses you do not recognise, and accounts you did not open
  • Consider a CIFAS protective registration — this places a warning flag on your credit file so that lenders take extra verification steps before approving credit in your name. It costs £25 for two years

Step 5: report actual fraud

If you discover that your data has been used for fraud:

  • Contact your bank immediately and report the fraudulent transactions — most banks will freeze the account and reverse unauthorised payments
  • Report identity fraud to Action Fraud (actionfraud.police.uk) — this creates a crime reference number you will need for insurance claims and compensation
  • If a fraudulent credit application was made in your name, contact the lender and the credit reference agencies (Experian, Equifax, TransUnion) to have the application removed

Step 6: complain to the ICO

Filing a complaint with the Information Commissioner's Office is free and creates a formal record of the breach. The ICO investigates whether the organisation complied with UK GDPR — did they have appropriate security measures? Did they notify affected individuals promptly? Were they storing data they no longer needed?

The ICO cannot award you compensation directly, but its findings are powerful evidence if you later pursue a legal claim. To complain, visit ico.org.uk/make-a-complaint and follow the guided process. You will need to have complained to the organisation first and given them the chance to respond (usually 30 days).

Step 7: document the impact

If you intend to claim compensation — or even if you are not sure yet — start documenting how the breach has affected you from day one:

  • Keep a diary — note dates, describe how you felt, record any anxiety, sleep disruption, or impact on your daily life
  • Save all correspondence — breach notifications, emails with the organisation, ICO complaint acknowledgements
  • Record financial costs — time spent dealing with the aftermath, credit monitoring subscriptions, any fraud losses, travel to the bank, costs of replacing documents
  • Note medical impact — if the breach caused anxiety or stress significant enough to visit your GP, ask for a note on your medical record. This is important evidence for higher-value claims

Step 8: consider a compensation claim

Under UK GDPR Article 82, you have the right to claim compensation for both material damage (financial losses) and non-material damage (distress, anxiety, loss of control over your personal data). You do not need to prove financial loss — distress alone is sufficient since the Vidal-Hall v Google ruling in 2015.

Typical compensation ranges depend on the data type and severity of impact:

ScenarioTypical range
Contact details, minor worry£750 – £3,000
Financial data, moderate anxiety£2,000 – £8,000
Health or medical data exposed£5,000 – £20,000
Data used for fraud£5,000 – £30,000+
Use the Data Breach Compensation Calculator to estimate your specific compensation range based on the data involved and the impact on you. For a detailed breakdown by sector, see our guide to data breach compensation by sector.

Step 9: decide on legal representation

For claims above approximately £2,000, a specialist data protection solicitor operating on a no-win-no-fee basis will typically achieve a higher settlement than self-representing. The solicitor takes 25–35% of the award if successful; you pay nothing if the claim fails.

For smaller claims, you can pursue the matter through the County Court small claims track (up to £10,000) without a solicitor. The organisation often prefers to settle rather than attend a hearing.

Be cautious of claims management companies that cold-call or text you after a breach. Many charge high fees or take excessive percentages. Look for SRA-regulated solicitors who specialise in data protection law.

The timeline

Data breach compensation claims must be brought within six years of the breach (or from when you became aware of it). However, the sooner you act, the stronger your claim. Evidence is fresher, organisations are more responsive, and the ICO investigation is more likely to produce useful findings.

Key deadlines: Complain to the organisation within 30 days of learning about the breach. File an ICO complaint within 3 months. Consider legal advice within 6 months. The 6-year limitation period is a backstop, not a target — acting quickly produces better outcomes.