Step-by-step guide to making a data breach claim

In May 2018, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 were brought into effect to ensure there are greater security measures in place for the collection and processing of personal data. These legislations provide individuals with improved control over their personal data and what data can be held by organisations. As part of these new data protection legislations, you have a right to claim compensation for any suffering experienced as a result of a personal data breach.

If you have fallen victim to a personal data breach, it can be difficult knowing what your rights are or what action you should take next. This step-by-step guide to claiming compensation for a personal data breach will help you understand personal data breaches, your data protection rights and how to claim compensation for a data breach.

Understanding Data Protection

Organisations are required to have appropriate technical and organizational measures in place to protect any personal data they collect. Under GDPR, organisations collecting any type of personal data must follow seven key principles to ensure they are processing data in a secure, transparent, and lawful way. These companies should also obtain consent for data collection and provide disclosure where required.

When you visit a website, you may notice a “cookie policy” pop-up when the page first loads, this is a pop-up designed to inform you that they may use cookies to collect data on you. Within the cookie policy, you should be able to see further details about the specific data being collected. This is just one example of a time when companies may collect personal data and obtain consent before doing so.

Since the implementation of GDPR and the Data Protection Act, many companies have implemented strict measures to ensure the protection of any data they collect. However, this is not always the case. Companies with inadequate security or data processing procedures are at greater risk of personal data breaches. If your data has been misused, lost, destroyed or disclosed, whether accidentally or deliberately, you may be able to claim compensation for this breach of personal data.

Under GDPR, you have a right to claim compensation from an organisation if you have suffered damage as a result of a personal data breach. This includes both material and non-material damage. Therefore, if you have experienced any kind of emotional, financial, mental, or physical distress or harm as a result of being victim to a personal data breach, you may be eligible to claim compensation.

What are my personal data rights under GDPR?

The introduction of GDPR provided individuals with numerous rights regarding the collection of their personal data. As outlined by GDPR, your personal data rights include:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

These personal data rights provide you with a certain level of control over the way companies collect and use your personal data. By understanding your personal data rights, you can make sure you are only providing your data to companies that you trust to process it securely and to only use it for its intended purpose.

What data do organisations hold about me?

In today’s world, many organisations hold a large amount of information about us. The type of personal data held about you will differ depending on the reason why the organisation is collecting your data. Furthermore, the type of organisation may also impact the types of personal data they collect about you.

Common types of personal data that organisations may hold about you include:

  • Name
  • Address
  • Gender
  • Date of birth
  • Email address
  • Telephone number
  • Credit card details
  • Password

However, this is not a conclusive list. Some organisations may not collect all of the above, and other organisations may collect additional personal data details about you. For instance, your doctor will have personal data pertaining to your medical history. Similarly, the police will collect additional personal data based on their requirements for law enforcement purposes.

What counts as personal data may include more than you think. In short, personal data refers to anything that allows a person to be identified. Even anonymized forms of data collection can be considered personal data if they allow the organisation or individual to identify individual anonymous users.

How do I know if my personal data has been breached?

If you have been involved in a personal data breach that puts your rights and freedoms at risk, the company involved in the data breach must inform you without undue delay. They will likely do this by email, telephone or post depending on what method of contact they have for you.

Other ways that you may become aware of your data being breach include if you suddenly receive a large number of spam emails or if you notice unusual activity in your bank account.

When informing you of a breach of data protection, the company should provide you with:

  • the name and contact details of its data controller or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.

What should I do if my personal data has been breached?

No matter how secure you may think a company’s data processing procedures are, they could still be at risk of a data breach. Personal data breaches can happen for many reasons from a malicious security hack to accidental loss of files containing personal data.

If you personal data has been breached, there are several steps you can take to minimize the potential damage caused by the data breach.

Can I get compensation for a personal data breach?

If you have experienced financial loss due to a personal data breach, you are extremely likely to be able to claim compensation for this breach. However, financial loss is not the only factor that can result in compensation. If a data breach has caused any kind of emotional, financial or psychological distress, you may be eligible to claim compensation for the distress caused by the personal data breach.

The current period for making a data breach claim is 6 years, 1 year if it involves a breach of Human Rights. Therefore, if you have been made aware of a personal security breach that involved your personal details in the past 6 years, you may be able to make a claim.

Who can I claim against for a breach of data protection?

When submitting a claim for a breach of data protection, you can claim against an individual or an organisation either in the public sector, private sector or charitable sector. GDPR claims and data breach claims are most often settled outside of court.

Our team of expert solicitors will help you determine whether you have a worthwhile data breach claim. If you do have a eligible claim for a breach of data protection, we can act as no win no feel solicitors on your behalf when bringing a claim against a company or individual who committed the data breach.

The amount of money you can get from a data breach compensation claim depends on the circumstances of your data breach. A minor data breach is typically rewarded with a £1,000 – £3,000 compensation. Whereas a major breach of confidentiality or data protection could result in £8,000 – £45,000 compensation depending on the severity of the data breach outcomes and distress caused.

Do I need to go to court to get compensation for a data protection breach?

Data breach claims are usually settled outside of court. However, when you appoint our expert team of Data Breach specialists to handle your data breach claim, we will be here to help you through every stage of the process including court appearances, if required.

Most companies seek to avoid the court process because data breach claims can be difficult to defend especially when a company has been fined or sanctioned by the ICO for a data breach. Similarly, smaller companies are likely to want to avoid any negative publicity which could affect their business. Therefore, they are also keen to avoid a data breach case going to court.

However, in some circumstances your data breach claim may require you to bring the company in breach to settle the claim. In case of this happening, we will help you to prepare for trial well in advance of the hearing.

When making a claim for data violation, evidence of financial loss and distress suffered would be used to support your case. As data breach claims are still niche, it is important to make sure you have the best possible representation to ensure your claim succeeds.

If you think you have a claim, DRM Legal is here to help. Complete our simple claim form or speak to an advisor today.


Our dedicated team is here to assist you with any questions you may have regarding personal data breaches. Please feel free to contact us if you believe that you have suffered fiancial or emotional distress as a result of a data breach within the past 6 years. If you would like to know whether you are eligible to make a compensation claim, please complete our claim enquiry form.