How To Sue For A GDPR Data Breach Compensation?

Has your personal data been leaked? Are you suffering the consequences of a data breach? Since the introduction of the EU directive the General Data Protection Regulation GDPR data subjects- those who supply personal information to organisations – have a lot more control over how their personal data is processed. However, the United Kingdom is no longer part of the EU so has recently updated the Data Protection Act 2018 and devised its own take of the GDPR. In this guide, we shall discuss when a data subject could be eligible to claim against a data controller for a breach of their data privacy.

How to sue for a GDPR data breach guide

How to sue for a GDPR data breach guide

Our guide aims to take a detailed look at data breach claims and how to sue someone who hasn’t kept your personal information safe. However, if you still have any questions after reading, our advisors can help you.

Our team is available 24/7 to provide you with free legal advice on GDPR data breaches. Additionally, they can connect you with a solicitor when you’re ready to start your claim.

For more information, call us on 0800 408 7827. Alternatively, please continue reading.

The Process Of Suing For A GDPR Data Breach

  1. A Guide On How To Sue For A GDPR Data Breach 
  2. What Is A Lawsuit For A Breach Of The GDPR?
  3. What Could I Claim Compensation For After A GDPR Breach?
  4. Who Could I Sue For A Breach Of The GDPR?
  5. What Evidence Can Show You Were Affected By A Data Breach?
  6. Work Out How Much You Could Sue For A GDPR Data Breach 
  7. Accepting A Data Breach Settlement Offer
  8. Do I Need A Data Breach Solicitor?
  9. Data Breach Claims – No Win No Fee Solicitors
  10. Ask Our Team About How We Could Help You
  11. Real Life Data Breach Case Studies
  12. Get Free Data Breach Claims Advice
  13. FAQs On Suing For A Data Breach
  14. Resources

A Guide On How To Sue For A GDPR Data Breach 

We understand the frustration you might be feeling. It seems impossible to do anything online without providing some personal information. For example, the simple act of signing up to a website means giving them your email address and name. 

However, despite the many risks of being online, we aren’t always aware of how important cybersecurity is. Not only on an individual level but on a larger scale too. For example, organisations that require your personal information are required to:

  • Have a lawful basis for collecting your data
  • Take steps to keep your data safe 

The laws that we discussed above, however, do not just protect online data they also protect any personal information that is stored in physical files. Importantly not all information is protected only data that can identify you directly or indirectly.

If data controllers fail to adhere to these laws and regulations, they could face a fine from the Information Commissioner’s Office (ICO). The ICO monitors the way companies use peoples’ data. 

If you’re unsure what constitutes a data breach or how to make a data breach claim, you’ve come to the right place. Our guide will be looking at the following:

  • No Win No Fee agreements
  • What a data breach is 
  • Benefits of a data breach lawyer
  • What causes a data breach, e.g. hacking or human error
  • Evidence you need to make a claim
  • Compensation awards for a data breach 

Furthermore, you might be wondering how long you have to start a claim. There are time limitations. However, generally, you have 6 years for a data privacy breach claim or 1 year if making a claim against a public body. 

What Is A Lawsuit For A Breach Of The GDPR?

When you think about data breaches, you’re probably thinking about it in the digital sense. Whilst breaches could happen online, they aren’t the only occurrences. For example, a physical breach could happen if a company fails to store or eliminate your personal information correctly. This might happen if they throw away documents in the general waste with your details on for people to access easily. 

You might be wondering how a digital breach can happen. There are many reasons, including:

  • Malware
  • Virus
  • Ransomware
  • Hack
  • Cyberattack
  • Lack of cybersecurity

A cyberattack can happen because a hacker causes a Denial of Service Attack (DDOS). This essentially stops users from being able to access their devices by disrupting the service.

The way data is used and stored by companies is regulated and has been more so in the last few years.  For instance, the GDPR is a data privacy and security law created by the European Union. It sets out legal requirements as to how data should be collected and processed. This applies to organisations worldwide when handling data from people within the EU. 

Additionally, the Data Protection Act 2018 was created by the UK. It was put in place to protect members of the public by controlling the way the data controllers process personal data. It runs alongise the UK GDPR. It stipulates the key components of how personal data should be handled.

Furthermore, the ICO ensures that companies and organisations follow the laws set out in the UK GDPR and Data Protection Act 2018. 

How can a data breach happen?

Data breaches can happen for many reasons. But what constitutes a GDPR data breach? Essentially, a personal data breach may mean your data is;

  • Destroyed, lost or altered
  • Disclosed, accessed, transmitted 

All without your authorisation, whether by accident or on purpose and without a lawful basis.

This might include:

  • Sending an email that contains personal information to the wrong email address.
  • Throwing away documents that contain personal data in the general waste. 
  • Personal letters posted to the wrong address. 
  • Leaving a laptop that has personal files on, on a train and it not being password protected.  

There are many other ways your data could have been breached. If any of the above has happened to you or any other example not listed, you might be able to claim compensation. See below for the types of damages you can claim.

Can I sue a company for a data breach? 

We all have the right to have our personal data protected, stored and handled correctly. If you’ve been a victim of a data breach by a company, you could be awarded compensation. Compensation will cover financial losses and any psychological distress you’ve suffered. However, it is not enough just for a data breach to have affected you. You must be able to establish using valid evidence that the data controller failed in its role to protect your data otherwise a claim is unlikely. 

What Could I Claim Compensation For After A GDPR Breach?

The GDPR gives you the right to claim compensation where an organisation is at fault for not keeping your data safe. Material damages and non-material damages will make up your overall data breach compensation. Claiming for a data breach is slightly different than when claiming for a personal injury because you do not need to have suffered an injury to claim financial losses. 

Material damages will cover the money you’ve lost as a direct result of your data being exposed. For example, this might include:

  • Money taken from your bank account because of the data breach
  • A damaged credit score means you have to pay higher rates
  • Identity fraud means credit cards are taken out in your name

Non-material damages will cover the trauma you’ve suffered as a result of the data breach. For example, any psychological difficulties you’ve faced. 

For more information on who you can sue in your data breach claim, see below. 

Who Could I Sue For A Breach Of The GDPR?

 Essentially to hold a valid data breach claim for compensation you must be able to show that the data controller did not do enough to keep your data safe. For instance, they did not train their staff on data awareness and this caused your personal information to be exposed. Just because a data breach has occurred will not automatically mean you can make a claim. 

Data controllers can do the following as ways of protecting personal data;

  • Regular reviews of data protection policies
  • Keeping software and equipment up to date with the latest security updates, including a solid firewall
  • Data protection and safety training
  • Encrypting and backing up data 

Although they should ensure your data stays protected, liability isn’t always straightforward. For that reason, it’s important to have the correct evidence for any data breach claims.

What Evidence Can Show You Were Affected By A Data Breach?

Like with any type of claim, evidence is key. The evidence you require can depend on what you’re claiming. For example, if you’re claiming for serious psychological damages, you may be invited for an assessment to get a psychological report. This medical evidence is important in building a valid GDPR data breach compensation claim. 

Additionally, if you have reason to believe that your data has been breached, you can make a complaint to the Information Commissioner’s Office. They can advise whether a breach has occurred, and that can also be used as evidence. 

If you have any questions on the evidence you can use to sue for a data breach, you can contact our team for more help and support. 

More Tips On Proving A GDPR Breach Compensation Claim

When it comes to making a GDPR breach compensation claim, evidence is vital. One of the most important pieces of evidence you can provide your solicitor is a letter or email from the organisation that committed the breach.

Such a letter would usually state that your data has been breached, when it occurred, and details given on the types of personal data exposed, for example, your name, address or, in the most serious of cases, your sensitive or financial information.

If you don’t have any correspondence like this, we recommend getting in touch with the organisation to make a complaint.

Under the UK GDPR, they must provide a response. However, should they fail to do so within 3 months of your initial complaint, you can escalate the matter to the ICO, who may conduct an investigation.

The findings of an ICO report on the incident would also help prove your data breach claim.

If you’ve also been to see your GP or perhaps visited the hospital due to the stress and worry the breach has caused you, the medical notes from these visits would also help you prove your claim.

Medical records like this may also help your solicitor assess how much compensation you could be entitled to for the GDPR breach.

To learn more about claiming compensation for a data breach, get in touch today. The advice we provide is completely free and carries no obligation on your part to take the matter any further.

Work Out How Much You Could Sue For A GDPR Data Breach 

The table below shows examples of the compensation you could claim for data breaches. It covers non-material damages, which cover any psychiatric damage you may have suffered. The figures are based on the Judicial College guidelines, a document solicitors often use to value claims. 

The figures should be used as a guide only as actual compensation figures can vary.

Injury SeverityAverage compensation amountComments
Psychiatric DamageModerately severe£17,900 to £51,460Aspects of life, work, social settings will all be severely affected however the prognosis is much more optimistic than in severe cases.
Psychiatric DamageModerate£5,500 to £17,900There will have been marked issues with work, family and social life but the prognosis is better than the above category.
Psychiatric DamageLess severe£1,440 to £5,500The level of the award will take into consideration the length of the period of disability and the extent to which daily activities and sleep were affected.
Post-traumatic stress disorderSevere£56,180 to £94,470The injured person will not be able to return to a pre trauma state. All aspects of life such as social, family and work will be negatively affected.
Post-traumatic stress disorderModerate£7,680 to £21,730The injured person will have suffered traumatic symptoms but by trial will have made sufficient recovery and the prognosis is good.

Accepting A Data Breach Settlement Offer

During your data breach claim, you and your solicitor will be working towards getting an offer of compensation that you’re happy with. However, you don’t have to accept the first offer. Instead, your solicitor might advise you to make a counteroffer if they think it the best course of action. 

Although a solicitor can provide advice using their knowledge of handling other data breach cases, they can’t make any decisions for you. It’s your decision when to accept an offer. However, your solicitor will always guide you through the process if you’re ever unsure. 

For more information on how a solicitor can help you, see below. 

Do I Need A Data Breach Solicitor?

If you don’t want to use a solicitor, you don’t have to. However, it can be beneficial to have a solicitor representing you. For example, they can guide you through the sometimes complex legal system. Additionally, if you’re someone who doesn’t have a lot of spare time, a solicitor can ease some of the additional pressure you might have claiming alone. 

Data Breach Claims – No Win No Fee Solicitors

If you suffered harm after your personal data was compromised due to a UK GDPR breach, we recommend you hire legal help, as they have the experience to help you with your claim. You could be able to hire a No Win No Fee solicitor to help you claim compensation in a data breach claim.

Under a No Win No Fee agreement, you would not:

  • Pay upfront to hire your solicitor
  • Pay any ongoing fees to your solicitor as payment for their services

If you are successful, your solicitor will take a success fee as payment. This fee has a legal cap in place and can only come from your compensation.

If you are unsuccessful, they will not require this fee. Claimants in unsuccessful No Win No Fee data breach claims do not have to pay their solicitors out of pocket.

Please reach out to a member of our team to discuss what working with a solicitor could entail or for more data breach compensation examples that could be relevant to your claim.

Ask Our Team About How We Could Help You

Data breaches can have a serious impact on you. However, we are here to help. Although we’ve tried to cover as much information as possible in our guide, you may still have questions. If so, our advisors can provide further clarification on the following:

  • No Win No Fee agreements
  • Claiming with a solicitor 
  • Evidence for your claim 

Additionally, our advisors can provide an estimate of how much your claim might be worth. Then, once they have further details on your case, they can give a more informed idea of what compensation you could claim. 

For more information on how you can connect with us, see below for our contact details.

Real Life Data Breach Case Studies

There have been numerous incidents where companies operating in Britain have experienced a large-scale data breach. One such incident caused by inadequate security measures affected Dixons Carphone (now renamed Currys plc). The retailer’s shops were compromised by a cyberattack that affected at least 14 million people.

The attack involved malicious software being installed on 5,390 tills in branches of Currys PC World and Dixons Travel chains. Between July 2017 and April 2018, the rogue software went undetected and collected a large amount of data which left customers vulnerable to both identity fraud and financial theft. The payment card details of over 5 million customers were harvested. Other personal information such as full names, postcodes and email addresses of many customers was also acquired through the cyberattack.

The Information Commissioner’s Office (ICO) investigated the data breach and found that were ‘systemic failures’ in the way that Dixons Carphone secured its customer data. The failures were considered so serious that the ICO issued a £500,000 fine against Dixons Carphone.

A separate data breach incident, which was caused by human error, affected students at the University of East Anglia in June 2017. A spreadsheet containing personal information of 191 undergraduates was accidentally sent to 298 people at the University. Details such as health problems, bereavements and other personal issues for the undergraduates were contained in the spreadsheet.
Following the error, insurers for the University paid out £142,512 to the affected students.

To learn more about claiming for data breach compensation, you can read the guide link here or contact our advisors here at How To Sue.

Source for University of East Anglia data breach incident:

Get Free Data Breach Claims Advice

Our advisors are available 24/7 to provide you with free legal advice. As well as answer any questions you might have. Additionally, they can connect you with a data breach solicitor if you’re ready to make your claim. 

We want to hear from you about how a data breach has affected you or someone you know. Contact us on the following so you can get started with your claim today:

  •     Telephone number – 0800 408 7827
  •     Live chat at the bottom of the page
  •     Send us an enquiry using the form, and we’ll contact you at your specified time

FAQs On Suing For A Data Breach 

Can I get compensation for a GDPR breach?

It is possible to claim compensation for a data breach in certain circumstances. However, the data breach compensation amounts can vary when you make a claim.

How much compensation can you get for data breach?

The ICO can fine organisations or individuals who have breached data protection. However, the amount of compensation you can claim can vary depending on the severity of the effects of the data breach

How long does a data breach claim take?

How long it can take to make a data breach claim can vary. For instance, it depends on the varying circumstances of the case. 


Did your employer breach your data privacy? If so, see our guide on how to sue your employer

For more information on what to do if your local council breached your personal information, see our guide. 

For more detailed information on how the GDPR applies to you, visit this guide on the ICO website.

If you’re unsure how companies use your data, the ICO has created a guide on being more data aware.

Here is the full GDPR document if you require any further information.

If you’ve been harmed by medical negligence, see our guide on suing a hospital for more information.

Personal Injury Claim Guides You Can Also Read

We hope you found our guide on how you can sue for a GDPR data breach useful. Thank you for reading.