Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Threats, Incidents and Claims

GDPR Breach Compensation: How Much Can You Claim in the UK?

By the Assured Cyber Protection team · Updated 2026 · Reviewed

GDPR Breach Compensation: How Much Can You Claim in the UK?

GDPR breach compensation is money a court can award you when an organisation mishandles your personal data and that failure causes you harm. The right exists, and people do win, but the headline claims you see advertised are often far larger than what UK courts actually award. This guide sets out where the right to compensation comes from, what you have to prove, the realistic amounts involved, and why a lot of breach claims are thrown out before they get anywhere. If you run a business, it also shows why the exposure is real enough to insure against.

Where the right to claim comes from

Your right to GDPR breach compensation comes from Article 82 of the UK GDPR, backed by the Data Protection Act 2018. It says that anyone who suffers “material or non-material damage” as a result of an infringement has the right to compensation from the controller or processor responsible.

Two categories of damage matter here. Material damage is financial: money stolen from your account, costs you had to pay, income you lost because of the breach. Non-material damage is distress, anxiety and loss of control over your data, with no money changing hands. The important point, established in Vidal-Hall v Google, is that you can claim for distress alone even where you have lost no money at all. You can read the text of the right on the ICO’s guidance on the right to compensation.

The claim goes to court, not the ICO

A common misunderstanding is that the Information Commissioner’s Office hands out compensation. It does not. The ICO regulates organisations, investigates complaints and can fine controllers, but it has no power to award you a penny. Compensation is a civil claim you bring against the organisation, either by agreement or through the courts. That distinction matters because it shapes the whole process: you complain to the ICO to get a breach investigated, but you claim compensation separately, and you carry the burden of proving your loss.

What you actually have to prove

To succeed you have to show three things: that an organisation breached data protection law, that you suffered damage, and that the breach caused that damage. The middle limb is where most claims fall down.

UK courts have made clear that the damage must clear a “de minimis” threshold, meaning it has to be more than trivial. In Rolfe v Veale Wasbrough Vizards, the High Court struck out a distress-only claim where a single email had gone to the wrong address, the data was not sensitive, and the claimants offered no real evidence of harm beyond ordinary worry. The court found the distress fell below the threshold and warned that speculative low-value claims can leave the claimant paying the other side’s costs.

The lesson is that genuine, evidenced harm wins and vague upset does not. Contemporary notes on your distress, medical evidence if the impact was serious, and proof of any financial loss all strengthen a claim. A one-off inadvertent error involving non-sensitive data is the weakest possible case; a deliberate or repeated exposure of special category data, such as health records, is the strongest.

How much GDPR compensation is actually worth

Realistic amounts are far lower than advertising suggests. Historic distress awards clustered in the hundreds of pounds rather than the tens of thousands, and courts have treated a few hundred pounds as a starting point for a relatively minor incident. Larger awards are possible where the breach caused real financial loss or serious, evidenced psychological harm, and awards for distress are sometimes cross-checked against the bands used in discrimination cases.

The Supreme Court’s decision in Lloyd v Google also closed off a route people had hoped would produce mass payouts. It ruled that you cannot claim uniform compensation for a simple “loss of control” of data without proving the damage each individual actually suffered. That killed the idea of automatic, tariff-style payments for everyone caught in a large breach and pushed the focus back onto individual, evidenced harm. So when you see a firm quoting a large “average” payout, treat it with caution: the figure usually reflects the rare, serious cases, not the everyday inbox slip.

What this means if you run a business

For an organisation, the compensation risk sits alongside regulatory fines, incident response costs and reputational damage. Even where individual awards are modest, a breach affecting thousands of people, plus legal defence costs, plus the ICO investigation, adds up. This is exactly the exposure that cyber insurance and good security controls are meant to reduce. Certifying to a recognised baseline lowers both the chance of a breach and the cost of defending one; see our guide to Cyber Essentials certification and what a cyber security audit covers. If you are assessing the financial side, our page on cyber insurance cost explains how insurers price this risk.

Frequently asked questions

How much compensation can you get for a GDPR breach in the UK? There is no fixed tariff. Distress-only awards have historically fallen in the hundreds of pounds, while larger sums are reserved for cases with proven financial loss or serious, evidenced psychological harm. Advertised “average” figures usually reflect the rare severe cases. The amount depends on how sensitive the data was, how the breach happened and the evidence of actual harm.

Can I claim compensation for distress with no financial loss? Yes. Following Vidal-Hall v Google, you can claim for non-material damage such as distress even where you lost no money. However, the distress must be more than trivial. Courts have rejected claims where the upset amounted to ordinary worry over a minor, inadvertent error involving non-sensitive data, so evidence of genuine impact is essential.

Does the ICO pay compensation for a data breach? No. The Information Commissioner’s Office regulates organisations and can fine them, but it cannot award compensation to individuals. To recover money you must bring a civil claim against the organisation responsible, either by negotiation or through the courts, and you carry the burden of proving your loss.

How long do I have to make a GDPR compensation claim? Data protection claims are generally subject to a six-year limitation period in England and Wales, running from when the damage occurred, though shorter periods can apply in some contexts. Because time limits and the strength of your evidence both matter, it is sensible to act promptly and take legal advice rather than leave a potential claim.

What makes a data breach claim more likely to succeed? Claims are strongest where sensitive or special category data such as health or financial records was exposed, where the breach was deliberate or repeated rather than a one-off slip, and where you can show real, documented harm. Contemporary records of your distress, medical evidence for serious impact, and proof of any financial loss all help clear the de minimis threshold.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.