Data breach compensation in the UK varies widely depending on the severity and impact. Under the Judicial College Guidelines (2024/25), non-material damage (distress) typically ranges from £1,000–£3,000 for less serious cases, £3,000–£7,500 for moderate cases, £7,500–£15,000 for more serious cases, and £15,000–£50,000+ for the most serious cases involving severe psychiatric injury. Material damages (actual financial losses such as fraud or identity theft) are added on top and can significantly increase the total claim value.

Material damage refers to actual financial losses you’ve suffered as a result of the data breach — for example, money stolen from your bank account, fraudulent transactions made in your name, or costs incurred to resolve identity theft. Non-material damage refers to the distress, anxiety, reputational harm, and psychiatric injury you’ve suffered. Under UK GDPR Article 82 and the Data Protection Act 2018, you can claim for both types of damage, and they are calculated separately. Non-material damage is assessed using Judicial College Guidelines brackets.

Yes. Following the landmark Court of Appeal ruling in Vidal-Hall v Google [2015], you can claim compensation for non-material damage (distress) even if you haven’t suffered any financial loss. The distress caused by knowing your personal data has been compromised — such as anxiety about potential identity theft, loss of privacy, or reputational harm — is itself a compensable injury under UK GDPR Article 82. You do not need to prove financial loss to make a claim.

Under the Limitation Act 1980, you generally have 6 years from the date of the data breach (or from the date you became aware of it) to bring a claim under the Data Protection Act 2018. However, claims against public authorities must be brought within 1 year. If your claim involves personal injury (such as psychiatric injury caused by the breach), the limitation period is 3 years from the date of injury or from the date you became aware of it. It’s always advisable to act promptly and seek legal advice as soon as possible.

You can claim for any breach of your personal data where the data controller or processor failed to comply with data protection law. Common examples include: cyber attacks and hacking, accidental disclosure of data (e.g., emails sent to the wrong recipient), lost or stolen devices containing personal data, inadequate security measures, unauthorised access by employees, failure to respond to subject access requests, and unlawful sharing of data with third parties. The breach can involve any personal data — names, addresses, financial details, medical records, or special category data.

Special category data (formerly ‘sensitive personal data’) is data that requires extra protection under UK GDPR Article 9. It includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation. Breaches involving special category data typically result in higher compensation awards because the potential for harm is greater. This calculator applies a higher multiplier for claims involving special category data.

You are not legally required to use a solicitor — you can make a data breach claim directly to the organisation responsible or to the Information Commissioner’s Office (ICO). However, data breach claims can be complex, and organisations often push back or offer low settlements. Most specialist data breach solicitors offer a free initial consultation and work on a no-win-no-fee basis (Conditional Fee Agreement), meaning you pay nothing if your claim is unsuccessful. Using a solicitor typically results in a significantly higher settlement than claiming alone.

Compensation is calculated in two parts: (1) Non-material damage — assessed using the Judicial College Guidelines (JCG) brackets, which consider the severity of distress, duration of impact, type of data breached, and vulnerability of the claimant. (2) Material damage — actual financial losses such as stolen money, fraudulent transactions, credit repair costs, and lost earnings. The total compensation is the sum of both. Courts also consider whether the data controller took appropriate security measures and whether the breach was reported to the ICO within 72 hours as required by UK GDPR Article 33.