Back to Articles
Digital Rights
10/13/2025
18 min read
163 views

GDPR Data Breach Compensation: £750-£72,000 Guide (2025)

£750-£72K GDPR breach compensation. 6-year deadline. 363 breaches/day in 2024. Complete guide with real UK case amounts, step-by-step claim process, and compensation calculator.

C

By Compens.ai Collective Intelligence

Insurance Claims Expert

GDPR Data Breach Compensation: How Much Can You Get in 2025?

£750 to £72,000 depending on severity. 6-year deadline to claim. 363 data breaches per day in 2024.

⚡ Quick Answer

Typical Amounts (UK): £750-£2,000 (minor breach), £2,000-£10,000 (moderate), £10,000-£72,000+ (severe) Deadline: 6 years from date of breach (UK/England & Wales) Who Can Claim: Anyone in EU/UK whose personal data was breached, leaked, or misused No Win No Fee: Most GDPR claims handled on contingency (solicitor takes 25-35% if you win)

---

2024 Data Breach Crisis: By the Numbers

  • 363/day - Data breaches reported daily in 2024
  • €1.2B - GDPR fines issued in 2024
  • €5.88B - Total GDPR fines since 2018
  • 6 years - UK deadline to claim compensation

Sources: DLA Piper GDPR Data Breach Survey 2024, European Data Protection Board

---

How Much Can You Claim? Compensation Ranges

💵 Minor/Low Severity Breaches: £750-£2,000

What Qualifies: Limited data exposed, low distress, no financial loss, quickly resolved.

Examples:
  • Email address leaked in mailing list error
  • Name and phone number visible to other users briefly
  • Non-sensitive data exposed with quick remediation
  • Minimal anxiety or inconvenience

Real Example: Warren v DSG Retail Ltd (Currys PC World, 2021) - £750 awarded for name, email, and shopping preferences leaked. No financial loss but distress recognized.

💰 Moderate Severity Breaches: £2,000-£10,000

What Qualifies: Sensitive data, identity theft risk, significant distress, or multiple violations.

Examples:
  • Date of birth, address, and partial financial info exposed
  • Medical or employment records leaked
  • Data used for fraud or identity theft attempts
  • Sustained anxiety, embarrassment, or reputational harm
  • Company failed to secure data properly or notify promptly

Real Example: British Airways 2018 breach claims - £2,000-£6,000 awarded for payment card data and travel details exposed (380,000 affected).

🔥 Severe/High Impact Breaches: £10,000-£72,000+

What Qualifies: Highly sensitive data, actual financial loss, severe psychological harm, egregious company negligence.

Examples:
  • Health records, sexual orientation, or criminal records leaked
  • Full financial details leading to fraud or theft
  • Children's data mishandled
  • Severe mental distress (anxiety, depression, PTSD)
  • Actual financial losses (fraud, identity theft costs)
  • Company showed gross negligence or intentional violations

Real Example: Rolfe v Veale Wasbrough Vizards (2021) - £72,000+ awarded for highly sensitive legal documents (HIV status, sexual abuse details) sent to wrong recipients. Severe psychiatric harm proven.

---

Factors That Increase Your Compensation

✓ Sensitive data exposed (health, financial, sexual) ✓ Actual financial loss (fraud, identity theft) ✓ Severe distress (medical evidence helps) ✓ Children's data involved ✓ Company negligence or delayed notification ✓ Prolonged exposure or repeat breaches ✓ Large-scale breach affecting many people ✓ Reputational damage (professional impact)

---

Am I Eligible to Claim GDPR Compensation?

Your personal data was breached, leaked, or misused - Includes hacks, accidental disclosures, improper access, unauthorized sharing

The breach happened in the EU/UK or involves EU/UK company - GDPR applies to all companies processing EU/UK residents' data

You suffered distress or harm - Can be psychological distress, anxiety, inconvenience, financial loss, reputational damage

Within 6-year deadline (UK/England & Wales) - Different deadlines for Scotland (5 years) and EU countries (varies)

Don't Need: Proof of financial loss is NOT required. Distress alone is sufficient.

---

How to Claim GDPR Compensation: 6 Steps

Step 1: Confirm You Were Affected

Check if the company notified you of a breach, or look for news reports of data breaches at companies you've used.

How to Check:
  • Check your email for breach notifications from companies
  • Search "[Company Name] data breach 2024" in news
  • Visit Have I Been Pwned to check if your email was in known breaches
  • Check ICO (UK) or your country's data protection authority for reported breaches

Step 2: Document Your Harm and Distress

GDPR compensation requires proof of "material or non-material damage" (distress, anxiety, inconvenience).

Evidence to Gather:
  • Written statement describing your distress, anxiety, fear of identity theft
  • Time spent dealing with breach (changing passwords, monitoring accounts)
  • Medical records if you sought treatment for anxiety/stress
  • Evidence of financial loss (fraudulent charges, credit monitoring costs)
  • Screenshots of fraudulent activity or identity theft attempts
  • Impact on daily life (sleep loss, work productivity, relationships)

Pro Tip: Keep a journal documenting your distress. Courts accept anxiety and inconvenience as valid harm even without financial loss.

Step 3: Submit Subject Access Request (SAR)

Before filing a claim, request details of what data was breached under your GDPR Article 15 right.

Email Template for SAR:

 Subject: Subject Access Request - Data Breach [Your Name]



Dear [Company Name] Data Protection Officer,



I am writing to request information under Article 15 of the GDPR regarding the data breach reported on [Date].


Please provide:

    

  • Confirmation of what personal data of mine was involved
    • 

  • Categories of data compromised
    • 

  • When you became aware of the breach
    • 

  • What security measures failed
    • 

  • What steps you have taken to mitigate harm
    • 

  • Whether you reported to ICO/data protection authority
    • 




I expect a response within 30 days as required by GDPR.



Regards, [Your Name] [Your Contact Details]

Company must respond within 30 days. This creates a paper trail for your claim.

Step 4: File Complaint with Data Protection Authority (Optional)

While not required for compensation, filing with your national authority strengthens your case.

Where to File:

Note: Data protection authorities investigate GDPR violations and can fine companies, but they don't award personal compensation. You must file a civil claim separately.

Step 5: Contact a GDPR Solicitor (No Win No Fee)

Most GDPR claims in UK are handled on "No Win No Fee" basis (Conditional Fee Agreement - CFA).

How No Win No Fee Works:
  • You pay nothing upfront
  • If you lose: you pay nothing (solicitor covers costs)
  • If you win: solicitor takes 25-35% of your compensation
  • Defendant usually pays your legal costs separately
Benefits of Using a Solicitor:
  • Expert knowledge of GDPR case law and compensation ranges
  • Handle all legal paperwork and court filings
  • Negotiate higher settlements (often worth the fee)
  • Most breach claims settle out of court (faster resolution)

Step 6: File County Court Claim or Negotiate Settlement

Your solicitor will either negotiate a settlement or file a claim in county court (UK).

Settlement (Most Common - 70-80% of cases):
  • Faster resolution (2-6 months)
  • Companies avoid negative publicity
  • You avoid stress of court
Court Claim:
  • File in county court (UK claims under £100K)
  • Takes 6-18 months to resolve
  • Judge determines compensation amount
  • Defendant pays your legal costs if you win

Remember the Deadline! UK/England & Wales: 6 years from breach | Scotland: 5 years

---

Real GDPR Compensation Cases (UK)

£72,000+ - Rolfe v Veale Wasbrough Vizards (2021)

Law firm accidentally sent highly sensitive documents (HIV status, sexual abuse details) to wrong recipient. Claimant developed severe psychiatric injury. Court emphasized gross negligence and sensitivity of data.

£2K-£6K - British Airways 2018 Data Breach

Hackers breached BA systems, stealing payment card data of 380,000 customers. Individual settlements depending on distress severity and whether fraud occurred. ICO fined BA £20M separately.

£750 - Warren v DSG Retail (Currys PC World, 2021)

Currys PC World breach exposed customer names, emails, and shopping preferences. Court confirmed distress alone (without financial loss) is sufficient for GDPR compensation.

£5K-£8K - TalkTalk 2015 Breach

Major hack exposed names, addresses, DOB, phone numbers, and partial bank details of 157,000 customers. Victims targeted by scammers. Individual settlements for those who pursued claims.

---

Major Data Breaches 2024-2025: Can You Claim?

TikTok - €530M GDPR Fine (January 2025) Irish regulator found TikTok transferred EU user data to China in violation of GDPR. EU TikTok users can claim for distress from data transfers. Likely £750-£2,000 range.

LinkedIn - €310M Fine (2024) Targeted advertising violations - using personal data for ads without proper legal basis. EU LinkedIn users who received targeted ads can claim.

Meta - €251M Fine (2024) Data security failures at Facebook. EU Facebook users affected by security failures can claim depending on what data was exposed.

How to Check If You're Affected: Companies must notify you within 72 hours of discovering a breach. Check your email or search "[Company Name] data breach 2024/2025".

---

Frequently Asked Questions

Do I need proof of financial loss? No. GDPR Article 82 covers both "material" (financial) and "non-material" (distress) damage. Distress alone is sufficient.

How long do I have to claim? UK (England & Wales): 6 years | Scotland: 5 years | EU: 3-6 years depending on country

Can I claim if I'm not sure what data was taken? Yes. If the company notified you that your data was involved in a breach, that's sufficient. Use a Subject Access Request to get more details.

Do I need a solicitor? Not required, but recommended. Most work on "No Win No Fee" taking 25-35% if you win. Manufacturer pays attorney fees separately.

The ICO fined the company. Do I automatically get compensation? No. ICO fines go to the government, not victims. You must file a separate civil claim. However, an ICO finding strengthens your case.

---

Evidence to Strengthen Your GDPR Claim

Proof of Breach:
  • Breach notification email from company
  • News articles about the breach
  • ICO breach register entry
  • Subject Access Request response
Proof of Distress/Harm:
  • Written statement describing your distress
  • Journal of anxiety, sleep loss, worry
  • Medical records (GP visits for stress)
  • Time spent dealing with breach
  • Witness statements from family/friends
Proof of Financial Loss:
  • Fraudulent transactions/charges
  • Credit monitoring service costs
  • Identity theft recovery expenses
  • Lost wages dealing with breach
Proof of Company Fault:
  • Delayed breach notification (>72 hours)
  • ICO investigation findings
  • Evidence of poor security practices
  • Previous breaches by same company

---

Were You Affected by a Data Breach?

£750-£72,000 compensation available. 6-year deadline. No Win No Fee solicitors available.

Report to ICO: ico.org.uk/make-a-complaint

Free eligibility check • No obligation • Connect with No Win No Fee solicitors

Fight Unfairness with AI-Powered Support

Join thousands who've found justice through our global fairness platform. Submit your case for free.