The UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (as amended) impose rigorous obligations on entities processing personal data. It also grants individuals enforceable rights to seek compensation for breaches causing harm, and can be a dry but tricky piece of legislation to get your head around.
Azmi Quraishe, Head of Litigation and Dispute Resolution at Scott Bailey, says: “Understanding the legal ramifications of GDPR breaches is crucial for both individuals and organisations to navigate claims and compliance effectively.”
This article briefly explores the compensation entitlements for individuals, the penalties faced by organisations, and the claims process for each.
Understanding liability and compensation
For individuals
Under Article 82 of the UK GDPR, individuals are entitled to claim compensation if they have suffered actual damage as a result of a breach. To establish liability, claimants must demonstrate a breach of GDPR obligations.
Claimants will need to show that the organisation failed to comply with its GDPR requirements, such as mishandling data, lacking adequate safeguards, or processing data unlawfully and that there was demonstrable harm as a result. Demonstrable harm can be either material or non-material harm, such as financial loss or emotional distress.
For organisations
Organisations may be able to avoid liability if they can demonstrate that the breach was caused by external factors beyond their reasonable control, despite having implemented appropriate and up-to-date security measures (e.g. a sophisticated cyberattack). Organisations will also need to demonstrate that they have suitable technical and organisational safeguards in place to prevent breaches.
GDPR breach compensation
The UK courts assess compensation based on the specific circumstances of each case, considering factors like the severity of the breach and the extent of the damage suffered.
Under Article 82 of the UK GDPR, individuals have the right to receive compensation if they suffer material (e.g., financial loss) or non-material (e.g., emotional distress) damage as a result of an infringement of the UK GDPR. However, the law requires actual damage to be proven, and a mere infringement is not enough.
Categories of Compensable Damages
As briefly outlined above, there are different types of damages and compensation claims brought by individuals that may encompass all or some of the following:
- Material damages: financial losses, such as those from fraud or identity theft.
- Non-material damages: psychological harm, including distress and anxiety.
- Loss of privacy: infringement of privacy rights, even without financial harm.
- Reputational harm: damage to personal or professional reputation.
- Time and effort: costs associated with addressing the breach, such as securing accounts.
For organisations
An organisation dealing with a claim for damages as above will need to make informed decisions and choices, as the financial and reputational repercussions of breaches can be substantial. Organisations will need to be mindful of compensation costs, such as payments to affected individuals for damages, legal fees, including their expenses incurred in defending against claims, as well as the risk of reputational damage and loss of trust from customers and stakeholders. Organisations will need to be mindful of the very real risk of regulatory fines and penalties imposed by the Information Commissioner’s Office (ICO) for breaches.
The ICO operates a two-tier structure for penalties imposed for breaches as follows:
For less serious breaches, Tier 1 penalties can reach up to £8.7 million or 2% of annual worldwide revenue, whichever is higher.
For serious violations, Tier 2 penalties can reach up to £17.5 million or 4% of annual global revenue.
Organisations can also face additional corrective measures such as temporary or permanent bans on data processing, orders to rectify or delete affected data and suspension of international data transfers.
While the ICO does not award compensation, individuals may leverage its findings to strengthen their claims. Complaints can be lodged with the ICO to highlight systemic failures or breaches of GDPR obligations.

What to do if you suspect or experience a breach as an organisation
It is essential to be proactive and take swift, positive steps. If your organisation becomes aware of a potential personal data breach, you should:
- Identify and contain the breach immediately: investigate what has happened, stop any ongoing exposure of data, and secure your systems to prevent further loss or unauthorised access.
- Assess the risk: determine whether the breach is likely to result in a risk to individuals’ rights and freedoms. Consider the type and sensitivity of data involved, how many people are affected, and the potential consequences.
- Document everything: under Article 33(5) of the UK GDPR, you must keep a detailed record of any personal data breach, regardless of whether it is reportable to the ICO. This includes what happened, how it was contained, and what remedial actions were taken.
- Report to the ICO if required: if the breach is likely to result in a risk to individuals’ rights and freedoms, you must report it to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. You can report online via the ICO website.
- Notify affected individuals if necessary: if the breach poses a high risk to individuals’ rights and freedoms, you must also inform those affected without undue delay, in clear and plain language.
- Speak to an expert: a solicitor can help assess the risk, ensure compliance, and manage communication with regulators and affected parties.
- Review and update security measures: conduct a post-breach review to identify and rectify any gaps in your policies, training, or technical safeguards.
What to do if you receive a GDPR security breach notification
If your data has been compromised in a security incident, you may receive a direct notification from the organisation responsible for handling your data. Under Article 34 of the UK GDPR, controllers are legally required to communicate a personal data breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
You may be notified:
- By email or letter from the organisation
- Through an account alert if you’re a user of a platform
- Via a press release or public notice (in large-scale breaches)
If you’re informed that your data has been compromised, some of the steps you should take in the first instance are as follows:
- Read the notification carefully. It should explain what data was affected, when it happened, and what the organisation is doing in response.
- Change your passwords, especially for any affected accounts. Use strong, unique passwords.
- Monitor your accounts. Watch for suspicious activity in bank accounts, emails, or social media.
- Contact your bank: if your financial information has been affected, inform your bank and consider freezing your account or card.
- Enable multi-factor authentication (MFA) where available to add extra security.
- Be alert to phishing. Fraudsters may use breach information to create convincing scams.
- Keep records: save a copy of the breach notice and any related communication.
- Report concerns to the ICO if you believe the organisation is not handling the breach appropriately.
- Seek legal advice if you suffer harm and are considering a compensation claim.
The claims process
For individuals, various steps form part of a claim, but the basic actions would be to identify the breach and determine if personal data was compromised. You will need to gather evidence of harm, such as financial records or medical reports. It is essential to engage the organisation and notify the responsible party of the breach and intention to claim compensation. Instructing a solicitor specialising in data protection law can make this process easy, especially when considering filing a claim at court and or negotiating a settlement as an alternative.
Equally, for organisations responding to a claim, you will need to take robust steps to investigate the breach. The simplest way to do this would be to conduct an internal review to assess liability and the extent of harm. Engaging a solicitor early on will allow you to seek expert advice on managing claims and mitigating exposure. You will need to respond to the complaints and cooperate with affected individuals and regulatory bodies to address concerns and resolve issues. If formal proceedings are issued, you will need to prepare a defence and present evidence of compliance or mitigating factors to counter liability. As with any organisation, you will evaluate the financial and reputational risks of litigation versus settlement and, importantly, implement measures to prevent further breaches with updated protocols and security measures.
Reporting and deadlines
How long do you have to report a GDPR breach?
The statutory limitation period for bringing a compensation claim under Article 82 of the UK GDPR is:
- Six years from the date of the breach in England and Wales
- Three years for personal injury claims (including psychological injury) from the date of knowledge of the injury and its attribution to the breach, according to the Limitation Act 1980 section 11
As above, organisations must report a notifiable breach to the ICO within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Timely reporting helps preserve evidence and demonstrates good faith compliance, both of which are crucial in defending future claims.

8. Become GDPR compliant today
What are the steps to becoming GDPR compliant, and how can a solicitor help?
We have set out some key steps for GDPR compliance as follows:
- Mapping and auditing the personal data you hold
- Identifying your lawful basis for processing data
- Drafting clear privacy policies and cookie notices
- Implementing appropriate security measures
- Training staff in data handling and breach response
- Completing DPIAs (Data Protection Impact Assessments) where required
- Reviewing contracts with third-party data processors
- Appointing a Data Protection Officer (if applicable)
A solicitor can help with:
- Drafting legally robust policies and contracts
- Providing legal advice on data protection risk management and compliance with data processing requirements under the UK GDPR and Data Protection Act 2018
- Supporting you through audits, breaches or ICO investigations
- Ensuring your approach is proportionate and tailored to your operations
If you’ve experienced a data breach, or are simply seeking guidance on your organisation’s compliance, Scott Bailey LLP can help. Contact our experienced team for clear, practical support.