When a Company Has a Data Breach

DigitalUK-wideLast reviewed: 1 April 20256 min

A personal data breach occurs when an organisation accidentally or unlawfully destroys, loses, alters, discloses, or gives access to your personal data without authorisation. When this happens, UK GDPR places obligations on the organisation — including notifying you if the breach is likely to cause you harm — and gives you rights to complain and potentially claim compensation.

Key points

  • Organisations must report a serious data breach to the ICO within 72 hours of becoming aware of it.
  • If a breach is likely to cause you high risk of harm, the organisation must notify you directly without undue delay.
  • You can complain to the ICO if an organisation fails to notify you or handles a breach inadequately.
  • You may be able to claim compensation for financial loss and distress caused by a data breach.
  • Keep records of any financial loss, identity fraud, or distress linked to the breach to support a compensation claim.

When Must You Be Notified of a Breach

Under Article 34 of UK GDPR, an organisation must notify you directly if a breach is "likely to result in a high risk to your rights and freedoms." This includes situations where the breach could lead to:

  • Identity theft or fraud
  • Financial loss
  • Damage to reputation
  • Discrimination or social disadvantage
  • Loss of confidentiality of sensitive data (health, financial, or criminal records)

Notification to you personally is separate from the organisation's obligation to report the breach to the ICO within 72 hours. A breach that does not present a high risk to you may still need to be reported to the ICO but does not require individual notification.

The notification to you must include: what happened, what data was involved, the likely consequences, the measures taken or proposed, and the contact details of the DPO.

Reporting Breach Failures to the ICO

If you believe an organisation has suffered a breach involving your data and has failed to notify you (or the ICO) as required, you can:

  1. Contact the organisation directly to ask about the breach and what steps they have taken. Request information about what data was affected.
  2. Make a SAR to understand what data of yours the organisation holds and whether their records show the data was involved in a breach.
  3. Report to the ICO at ico.org.uk/make-a-complaint. The ICO can investigate whether the organisation met its breach notification obligations and take enforcement action.

The ICO can impose significant fines on organisations that fail to report a breach (up to £8.7 million or 2% of global turnover) and can also investigate the underlying security failure.

Protecting Yourself After a Data Breach

If your personal data has been exposed in a breach, take immediate steps to reduce your risk:

  • Change passwords for any accounts using the compromised email or password, and use unique, strong passwords for each account going forward.
  • Enable two-factor authentication (2FA) on all important accounts (banking, email, social media).
  • Monitor your bank and credit card statements for unauthorised transactions and report any fraud immediately to your bank.
  • Place a CIFAS protective registration on your credit file (small annual fee) if your identity documents or financial details were compromised — this adds a flag to credit applications made in your name.
  • Contact Action Fraud (0300 123 2040) if you become a victim of fraud linked to the breach.

Claiming Compensation for a Data Breach

Article 82 of UK GDPR gives individuals the right to claim compensation from an organisation for material damage (financial loss) or non-material damage (distress, anxiety, loss of dignity) caused by a breach. To succeed in a claim you must show:

  1. The organisation infringed UK GDPR (e.g., failed to have adequate security measures, processed data without a lawful basis).
  2. You suffered damage as a result of the infringement.
  3. There is a causal link between the breach and your damage.

Many data breach compensation claims are small and can be pursued through the county court's small claims or fast-track procedure. For large-scale breaches affecting thousands of people, group litigation orders (GLOs) have been used. Specialist data protection solicitors often act on a conditional fee ("no win, no fee") basis for breach compensation claims.

Frequently asked questions

I found out my email was in a data breach through HaveIBeenPwned. What should I do?
Change your password for that service and any other accounts using the same password immediately. Enable 2FA where possible. If the breach involved sensitive data (financial, health), consider a CIFAS protective registration. You can also complain to the ICO about the breached organisation if you believe they had inadequate security.
Can I claim compensation without going to court?
Some organisations will settle breach compensation claims without litigation — particularly where the ICO has already found them at fault. Write to the organisation setting out your loss and distress and the compensation you are seeking. If they refuse, you can issue a small claims court claim, or for larger sums, instruct a data protection solicitor.
How long do I have to bring a data breach compensation claim?
The Limitation Act 1980 generally gives you 6 years from the date the breach occurred (or when you became aware of it) to bring a civil claim in England and Wales. For personal injury or distress claims, a 3-year limitation period can apply. Get legal advice promptly to avoid missing time limits.
The ICO investigated a breach and fined the company. Does this mean I automatically get compensation?
No. ICO fines go to the government, not to individuals affected by the breach. An ICO finding of a breach can support your own compensation claim in court, but you must bring that claim separately. However, an ICO enforcement notice often prompts organisations to settle individual claims more readily.

What to do next

  1. 1
    Report a concern to the ICO

    Complain to the ICO about an organisation's breach response.

  2. 2
    Action Fraud

    Report fraud or cybercrime linked to a data breach.

  3. 3
    UK GDPR rights overview

    Your full data protection rights under UK GDPR.

  4. 4
    Data subject access requests

    Find out what data an organisation holds about you after a breach.

Official bodies and resources

Information Commissioner's Office

Regulator

The UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.

Visit website0303 123 1113

Financial Conduct Authority

Regulator

Regulates financial services firms and financial markets in the UK to ensure they are honest, fair, and effective.

Visit website0800 111 6768

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Visit website0800 144 8848

Was this page helpful?

Related guides

UK GDPR Rights for Individuals

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.

6 min

Data Subject Access Requests

A Subject Access Request (SAR) is a formal request you can make to any organisation asking them to provide a copy of all personal data they hold about you and information about how it is used. It is one of your most powerful rights under UK GDPR and is entirely free in most cases.

6 min

Recovering Money Lost to Online Fraud

Online fraud — including investment scams, romance fraud, purchase scams, and impersonation — costs UK victims billions of pounds annually. New rules from the Payment Systems Regulator (PSR) introduced in 2024 require banks to reimburse most victims of Authorised Push Payment (APP) fraud, significantly improving your chances of recovery.

6 min

Data Breach Complaints

A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.

5 min

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.