Frequently Asked Questions On Data Breach Claims

Frequently Asked Questions On Data Breach Claims

Frequently Asked Questions On Data Breach Claims Guide

What are data breaches? How can a personal data breach cause financial or mental harm? This guide shall answer these questions and many more. It will also examine the data breach claims process and what type of compensation is awarded in successful claims.

This guide explains how laws in the UK called the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) define the legal expectations for organisations to correctly process your data and prevent personal data breaches. To talk about this immediately, please:

Select A Section

  1. What Is A Personal Data Breach Claim?
  2. How Long Do I Have To Claim For A Personal Data?
  3. Do I Have To Report The Breach?
  4. What Evidence Will I Need To Start A Claim?
  5. Personal Data Breach Compensation Calculator
  6. How To Start A No Win No Fee Claim

What Is A Personal Data Breach Claim?

Before examining what are personal data breaches, it’s important to be clear about what defines personal data. Any information that could be used on its own or alongside other details to positively identify you as a living person is personal data. There are some obvious examples, such as:

  • Name and address
  • Mobile number and email address
  • Bank card details
  • National insurance number
  • NHS number

Under data protection law, other personal data that is considered sensitive ”special category data” is also protected this includes;

  • Health data
  • Racial and ethnic background
  • Political, religious or philosophical beliefs
  • Sexual orientation

Special category data are given added protection due to their potential to cause the data subject a greater level of harm if misused.

Controllers and processors are the main parties involved and must prove at least one of six lawful basis for data processing to collect and use this information.

A data controller is generally an organisation or company that collects your personal information and says how and why it will be processed. Sometimes controllers will outsource their processing to data processors.

Fundamental to a claim for compensation is the ability to show how these parties failed to adhere to UK GDPR and Data Protection Act 2018  by an action they took (or failed to take) to safeguard the integrity of your personal data.

7 Core Principles

The independent body called the Information Commissioner’s Office (ICO) regulates and upholds data protection rights for UK residents.

There are 7 Core Principles for good data processing:

  • Collected with a lawful, fair and transparent reason
  • Limited in purpose
  • Kept to a minimum
  • Accurate
  • Stored for a specific and limited period
  • Kept secure at all times
  • Handled with personal accountability for these good data practices.

In addition to this organisations, such as social services, hospitals and banks, should try to implement robust IT security to stop external cyber attacks from infiltrating their systems and accessing data for criminal purposes.

How Long Do I Have To Claim For A Personal Data Breach?

There are time limits that apply to launching data breach claims. There are 6 years to start a claim. This may seem like a long time to initiate a breach of data protection claim, but it is always recommended to start as soon as possible so that any evidence that is needed to support your case is still available.

Also, please be aware that if the claim is against a public body, the time limit for initiating the case is reduced to just one year.

Do I Have To Report The Breach?

You can contact them if you suspect an organisation has been involved in a data breach. They should inform you if a breach has taken place and whether your personal data was involved. By law, if they are aware of a data breach that affects your rights and infringes on your freedoms, they must inform you without delay. Also, reporting such a breach to the ICO within 72 hours of becoming aware of it.

If you intend to make a claim following a breach of your personal data, then you can take the following steps;

  • Firstly, raise a concern with the organisation in question
  • If you are dissatisfied with the response, you can raise a complaint with the ICO.
  • Wait no longer than 3 months after the last communication with the organisation to pursue dialogue with the ICO. Beyond this period, the ICO may consider the matter trivial or settled.
  • Simultaneously, you can seek legal advice about compensation for the data breach.

What Evidence Will I Need To Start A Claim?

In addition to claiming within the time limit and taking steps to raise a complaint, other evidence can play an essential part in data breach claims for compensation. After this experience, a data subject could experience financial losses, especially if banking details have been breached. So bank statements and invoices of fraudulent spending could be used as evidence.

As well as this, medical evidence can be accessed that shows stress due to the breach. Any documented proof that can support your claim of financial loss or psychiatric injury can be considered as long as it directly relates to the data breach.

Personal Data Breach Compensation Calculator

With this in mind, two areas of data breach compensation may apply after a successful claim. Material damage reflects these out-of-pocket costs and losses you suffered as a direct result of the data breach. This can include:

  • Stolen funds from your bank account
  • Late fees and unauthorised overdraft issues
  • Counselling costs to deal with the stress
  • Associated costs to replace personal devices such as smartphones or laptops

If you can provide documented evidence of these losses, it can be possible to claim them back as part of your compensation.

Also, non-material damage may apply. A precedent Court of Appeal case, Vidal-Hall and others vs Google Inc 2015, acknowledged compensation for psychiatric damage in its own right, independent of financial loss.

Even if the breach made your mental health problems worse. Non-material damage can cover post-traumatic stress disorder, distress, depression or anxiety.

The table below reflects the amount brackets in the Judicial College Guidelines JCG. This publication is often used when assessing the value of injuries in civil claims.

Psychiatric Harm JC Guidelines Award Bracket Supporting Notes
General Psychiatric and Psychological Damage Severe Degree – (a) £54,830 to £115,730 The person will experience marked issues with relationships, work and education ,creating a significant and long-standing disability
General Psychiatric and Psychological Damage Moderately Severe Degree – (b) £19,070 to £54,830


This bracket includes many of the same issues as above but there is a more positive prognosis. Still representative of a long-standing condition.
General Psychiatric and Psychological Damage Moderate Degree (c) – £5,860 to £19,070 This bracket reflects similar issues but improvements have been made.
General Psychiatric and Psychological Damage Less Severe Degree (d) – £1,540 to £5,860 An award here is given in recognition of the length of illness.
Post-Traumatic Stress Disorder abbreviated to PTSD Severe Degree – (a) £59,860 to £100,670


A permanent and profoundly severe trauma reaction that impacts all areas of the person’s life.
Post-Traumatic Stress Disorder abbreviated to PTSD Moderately Severe Degree (b) – £23,150 to £59,860


A similarly reaction but symptoms that can be improved with professional intervention and counselling.
Post-Traumatic Stress Disorder abbreviated to (PTSD) Moderate Degree – (c) £8,180 to £23,150


Cases in which there has been an overall recovery with any residual symptoms being bearable.
Post-Traumatic Stress Disorder abbreviated to PTSD Less Severe Degree (d) – £3,950 to £8,180 A full recovery taking place in 1 – 2 years with persisting symptoms beyond this period being minor in nature.

Please note – They are merely guidelines. 

Our team can explain more when you get in touch.

How To Start A No Win No Fee Claim

Legal representation under a No Win No Fee agreement could help if you are considering claiming for damages. A Conditional Fee Agreement may be used as the preferred contract. It will state the terms and conditions of the service provided. These will usually state that a successful case needs a maximum deduction of only 25% for the solicitor’s success fee. This comes from the award you receive.

Cases that do not win require no success fee. Our advisors can assess your case for free when you get in touch. Any claims that look solid and have good grounds could be connected with a data breach solicitor.

To discover more, please get in touch by:

Guides On Breach of Data Protection Claims

The resources below will offer more insight on the subject:

More of our guides to help answer your frequently asked questions on data breach claims.