How to make a data protection breach claim for compensation

Unlike other firms specialising in data breach and privacy protection, we are focused on you – the individual. We do not represent any ‘group actions’ which comprise a large number of people claiming against the same company for the same breach.

This is because we know that every person is unique and we feel strongly that every data breach victim should be given the care and attention that they deserve.

Everyone is impacted differently in data protection breach, and the distress you may have suffered due to a breach is something we believe deserves our undivided attention.

You will have heard about ‘GDPR claims’ and ‘GDPR breaches’. GDPR stands for the General Data Protection Regulation which is an EU Directive (or law) which the UK has incorporated within its own law.

The UK has a number of other data protection and privacy related laws but the other main legislation which you should know about is the Data Protection Act 2018. This replaced the Data Protection Act 1998 and introduced additional protections for individuals’ personal data.

You can bring a claim under GDPR or the Data Protection Act 2018 – or both. Sometimes, a company, or organisation, breaches both the GDPR and Data Protection Act.

As long as the breach occurred within the last six years you may have a valid claim. If you believe that your data has been breached, these four simple steps will help you to get the compensation that you deserve:

Step 1 – Report the data breach

At this point you may have received notification from an organisation that your personal data has been breached or found out about the breach in another way.

The first thing you should do is report the breach to the Information Commissioner’s Office (‘ICO’). You can do this through the ICO website here.

Although it is not strictly necessary for you to report the breach to the ICO to be able to make a claim for compensation, we would recommend you do this anyway because the ICO decision report may support your claim.

Step 2 – Contact DRM Legal

Get in touch with our team who will be able to advise you whether you can make a data breach compensation claim.

You should do this as soon as possible and you do not need to wait for the ICO to respond to your data breach report (which can take several months depending on the facts of your case).

We will explain the claims process and with your permission we will contact the company which has breached your personal data after the ICO have provided a decision report in your case.

When we contact the offending company, we will attempt to establish how the breach occurred and how serious it was. Even if the ICO do not sanction a company, a decision report which makes recommendations about how the company should implement better GDPR policies will be enough to support your compensation claim.

If you decide you would like us to represent you in your claim, we will review all documents and evidence relevant to your case in order to prepare your claim to the highest standard.

Step 3 – Negotiation of settlement

This is a step which DRM Legal will take on your behalf, however we make sure that we keep our clients involved at every step of their claim.

After we have considered all evidence and reports in accordance with step 2, we will give you a realistic estimate of what you could expect to receive in compensation for your data breach claim.

If you are happy with the estimated amount, we will begin negotiating the best possible settlement for you.

This may take some time and the company who has breached your personal data may not accept our offer or make their own offer (a ‘counter-offer’) instead.

We will tell you if this happens and advise you on whether or not it would be reasonable to accept an offer for less than that originally estimated.

This might happen if, for example, you wish to avoid Step 4 below or if you are happy with the amount offered.

Step 4 – Taking your claim to court

If the company in breach fails to respond, accept your offer or is unwilling to negotiate settlement at all, we will contact the company to inform them that we intend to take them to court.

Most companies would seek to avoid the court process because data breach claims can be difficult to defend especially when a company has been fined or sanctioned by the ICO for a data breach.

Other smaller companies which have not been sanctioned are likely to want to avoid any negative publicity which could affect their business, so they are also keen to avoid a case going to court.

If, however, it is necessary to bring the company in breach to court then we will help you to prepare for trial well in advance of any hearing.

In many data breach claims, the company will have already admitted the breach happened and the main argument will be about how much damage this has done.

Evidence of financial loss and distress which you have suffered (for example, by way of medical report or your medical history) would be used to support your case. Data breach claims are still fairly niche and so the compensation that is awarded by the courts can be varied. This is why it is important to make sure you have the best possible representation to ensure your claim succeeds. If you think you have a claim, DRM Legal is here to help. Complete our simple claim form or speak to an advisor today.


Do you think you may have been a victim of data breach? Our dedicated team is here to assist you with any questions you may have regarding personal data breaches. If you would like to know whether you are eligible to make a compensation claim for a personal data breach, please complete our claim enquiry form.