Data Breach Complaints

ComplaintsLast reviewed: 1 April 20255 min

A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.

Key points

  • Organisations must notify you of a personal data breach that poses a high risk to your rights and freedoms.
  • You can complain to the ICO if you believe an organisation has mishandled your data or failed to notify you of a breach.
  • You can claim compensation for damage (including distress) caused by a data breach under UK GDPR.
  • Act quickly if your financial data was involved — contact your bank immediately and monitor your accounts.

What to Do When You Discover a Breach

If you discover your personal data has been breached — whether through a notification from the organisation, a news report, or noticing suspicious activity on your accounts:

  • If financial data was involved: Contact your bank or card provider immediately. Request replacement cards if your card details may have been compromised. Monitor your statements for any unauthorised transactions and report them to your bank at once.
  • If login credentials were involved: Change your passwords on the affected service and any other services where you use the same password. Enable two-factor authentication where available.
  • Check your credit file: Use a free credit checking service to see if any credit applications have been made in your name.
  • Report fraud: If you believe you have been a victim of identity fraud resulting from the breach, report to Action Fraud (actionfraud.police.uk).

Complaining to the ICO

If you believe an organisation has breached your data rights — by failing to protect your data adequately, failing to notify you of a breach, or mishandling your data in any other way — you can complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

The ICO is the UK's data protection regulator. It can investigate organisations and issue enforcement notices, fines, or require specific action. However, the ICO cannot itself award you compensation — for compensation, you must pursue a civil claim.

Before complaining to the ICO, raise your concern directly with the organisation first. Give them a reasonable period to respond (usually around four weeks). If they do not respond satisfactorily, you can then escalate to the ICO.

Claiming Compensation for a Data Breach

Under Article 82 of UK GDPR, you have the right to claim compensation from an organisation that has breached your data rights if you have suffered damage as a result. Damage includes both material damage (financial loss) and non-material damage (distress, anxiety, loss of control over personal information).

To claim compensation:

  • Write to the organisation's Data Protection Officer (DPO) setting out the breach, the damage you have suffered, and the compensation you are seeking
  • If the organisation refuses, you can issue a civil claim in the County Court
  • Some solicitors take data breach compensation claims on a no-win no-fee basis for larger breaches

Be wary of claims management companies advertising data breach compensation — they often charge high fees that reduce your net compensation significantly.

Frequently asked questions

Do I need to report a data breach to the police?
You do not need to report a data breach to the police unless it involves criminal activity — such as identity theft or fraud. If you believe your data is being actively used for fraud, report to Action Fraud. The ICO handles regulatory complaints about organisations' data handling; the police handle criminal investigations.
How do I know if my data has been part of a breach?
The organisation that suffered the breach should notify you if the breach poses a high risk to your rights and freedoms. You can also check tools like HaveIBeenPwned.com to see if your email address appears in known data breach datasets. Monitoring your credit file and bank statements for unusual activity is also advisable.
How much compensation can I claim for a data breach?
There is no fixed amount — compensation is assessed based on the severity of the breach, the sensitivity of the data involved, and the impact on you. Small-scale breaches typically attract modest amounts (hundreds of pounds for distress). Large-scale breaches involving sensitive categories of data (health records, financial information) can attract higher amounts. Some group litigation actions have achieved larger settlements.

What to do next

  1. 1
    Make a data breach complaint to the ICO

    Report an organisation's data breach to the ICO.

  2. 2
    Report identity fraud to Action Fraud

    Report fraud resulting from a data breach.

  3. 3
    Check if your data was in a known breach

    Check HaveIBeenPwned for known data breach exposure.

Official bodies and resources

Information Commissioner's Office

Regulator

The UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.

Visit website0303 123 1113

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Visit website0800 144 8848

Was this page helpful?

Related guides

Social Media and Online Platform Complaints

Complaints about social media and online platforms — including content moderation decisions, data privacy issues, marketplace disputes, and harmful content — are a growing area of consumer concern. The UK's Online Safety Act 2023 has introduced new obligations on platforms, and Ofcom now oversees online safety regulation.

5 min

Building Your Complaint Evidence

A well-evidenced complaint is far more likely to succeed. Whether you are complaining to a financial firm, an energy supplier, the NHS, or a local council, the quality of your evidence determines how seriously your complaint will be taken — and how quickly it will be resolved.

5 min read

How to Complain Effectively in the UK

Making a formal complaint can feel daunting, but a well-structured complaint significantly increases your chances of a satisfactory outcome. In the UK, most businesses and public bodies are required to have a complaints procedure, and following the right process gives you access to independent resolution if things go wrong.

6 min read

Complaints About Professionals

When a professional — a solicitor, financial adviser, accountant, surveyor, or doctor — falls below the standard you have a right to expect, you have both contractual rights (for poor service) and regulatory rights (to report misconduct). This guide sets out the complaint routes for common regulated professions.

6 min

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.