Step-by-step guide to making a data breach claim

In May 2018, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 were brought into effect to ensure there are greater security measures in place for the collection and processing of personal data. These legislations provide individuals with improved control over their personal data and what data can be held by organisations. As part of these new data protection legislations, you have a right to claim compensation for any suffering experienced as a result of a personal data breach.

If you have fallen victim to a personal data breach, it can be difficult knowing what your rights are or what action you should take next. This step-by-step guide to claiming compensation for a personal data breach will help you understand personal data breaches, your data protection rights and how to claim compensation for a data breach.

Understanding Data Protection

Organisations are required to have appropriate technical and organizational measures in place to protect any personal data they collect. Under GDPR, organisations collecting any type of personal data must follow seven key principles to ensure they are processing data in a secure, transparent, and lawful way. These companies should also obtain consent for data collection and provide disclosure where required.

When you visit a website, you may notice a “cookie policy” pop-up when the page first loads, this is a pop-up designed to inform you that they may use cookies to collect data on you. Within the cookie policy, you should be able to see further details about the specific data being collected. This is just one example of a time when companies may collect personal data and obtain consent before doing so.

Since the implementation of GDPR and the Data Protection Act, many companies have implemented strict measures to ensure the protection of any data they collect. However, this is not always the case. Companies with inadequate security or data processing procedures are at greater risk of personal data breaches. If your data has been misused, lost, destroyed or disclosed, whether accidentally or deliberately, you may be able to claim compensation for this breach of personal data.

Under GDPR, you have a right to claim compensation from an organisation if you have suffered damage as a result of a personal data breach. This includes both material and non-material damage. Therefore, if you have experienced any kind of emotional, financial, mental, or physical distress or harm as a result of being victim to a personal data breach, you may be eligible to claim compensation.

What are my personal data rights under GDPR?

The introduction of GDPR provided individuals with numerous rights regarding the collection of their personal data. As outlined by GDPR, your personal data rights include:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

These personal data rights provide you with a certain level of control over the way companies collect and use your personal data. By understanding your personal data rights, you can make sure you are only providing your data to companies that you trust to process it securely and to only use it for its intended purpose.

What data do organisations hold about me?

In today’s world, many organisations hold a large amount of information about us. The type of personal data held about you will differ depending on the reason why the organisation is collecting your data. Furthermore, the type of organisation may also impact the types of personal data they collect about you.

Common types of personal data that organisations may hold about you include:

  • Name
  • Address
  • Gender
  • Date of birth
  • Email address
  • Telephone number
  • Credit card details
  • Password

However, this is not a conclusive list. Some organisations may not collect all of the above, and other organisations may collect additional personal data details about you. For instance, your doctor will have personal data pertaining to your medical history. Similarly, the police will collect additional personal data based on their requirements for law enforcement purposes.

What counts as personal data may include more than you think. In short, personal data refers to anything that allows a person to be identified. Even anonymized forms of data collection can be considered personal data if they allow the organisation or individual to identify individual anonymous users.

How do I know if my personal data has been breached?

If you have been involved in a personal data breach that puts your rights and freedoms at risk, the company involved in the data breach must inform you without undue delay. They will likely do this by email, telephone or post depending on what method of contact they have for you.

Other ways that you may become aware of your data being breach include if you suddenly receive a large number of spam emails or if you notice unusual activity in your bank account.

When informing you of a breach of data protection, the company should provide you with:

  • the name and contact details of its data controller or other contact point that can provide more information
  • a description of the likely consequences of the personal data breach
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects

What should I do if my personal data has been breached?

No matter how secure you may think a company’s data processing procedures are, they could still be at risk of a data breach. Personal data breaches can happen for many reasons from a malicious security hack to accidental loss of files containing personal data.

If you personal data has been breached, there are several steps you can take to minimize the potential damage caused by the data breach.

Can I get compensation for a personal data breach?

You can claim compensation for a personal data breach. If you have experienced distress or suffered financial loss as a result of a GDPR or personal data breach incident, you may be able to claim compensation.

However, you do not have to have experienced distress or financial loss in order to make a data breach compensation claim. Companies have a legal duty to protect your data. If a company has failed to protect your data and you have experienced a loss of privacy, such as your email address being breached or your passwords being exposed, you can still claim compensation due to the company failing to uphold the legal obligation to protect your data.

There’s no set rule regarding how much money you could be awarded for a personal data breach claim. The most frequent minimum settlement claim you could potentially obtain is £750 – £1,000. For higher profile cases, such as medical claims where the risks are higher, you could be entitled to a larger compensation settlement. In some instances where the privacy of medical records were breached, clients have received £6,000 – £8,000 in settlement payouts.


Our dedicated team is here to assist you with any questions you may have regarding personal data breaches. Please feel free to contact us if you believe that you have suffered fiancial or emotional distress as a result of a data breach within the past 6 years. If you would like to know whether you are eligible to make a compensation claim, please complete our claim enquiry form.