Data Breach Compensation UK: What You Can Actually Claim

Data breach compensation in the UK is real but not automatic, and it is not paid by the ICO. You claim through the courts under Article 82 UK GDPR, and the Supreme Court's Lloyd v Google ruling means loss of control alone rarely wins a payout.
The reality check: what Lloyd v Google actually decided
Before anything else, it helps to understand why data breach compensation claims in England, Wales, Scotland and Northern Ireland are harder to win than a lot of advertising suggests. In November 2021, the Supreme Court ruled on Lloyd v Google LLC [2021] UKSC 50, a case brought as a representative action on behalf of roughly four million iPhone users whose browsing activity Google was alleged to have tracked without consent by bypassing a privacy setting in Safari. The claim was framed as a uniform, per-person sum for every affected user, based on the argument that the mere loss of control over their data was itself compensatable, without needing to show that any individual had actually lost money or suffered distress.
The Supreme Court unanimously rejected that approach. It held that compensation requires proof of damage, material loss or genuine distress caused by the breach, and that a person cannot recover compensation simply because their data was mishandled with no further consequence. The court also rejected the idea of a single, uniform award applied automatically across a large group of people without any individual assessment. The case was decided under the old Data Protection Act 1998, but the same reasoning is treated as applying equally to claims under UK GDPR Article 82 and section 168 of the Data Protection Act 2018, since both use the same "damage" requirement.
The practical effect is that a data breach on its own, even a serious one, is not a ticket to an automatic payout. If you want to bring a claim, you need to be able to point to something concrete: money you lost, or distress you genuinely experienced because of that specific breach.
What the law actually gives you
The right to compensation comes from Article 82 of the UK GDPR and section 168 of the Data Protection Act 2018, which spells out that "non-material damage" includes distress. Together they give anyone who has suffered material damage (a financial loss) or non-material damage (distress) as a result of an organisation breaking data protection law a right to compensation from that organisation.

This is separate from what the ICO does. The ICO can investigate a suspected breach, order an organisation to change its practices, and in serious cases issue a fine. But a fine is a regulatory penalty; it does not go to the people affected by the breach. As the ICO's own guidance puts it plainly, the ICO cannot award you compensation, even where it finds that an organisation broke the law. If you want money for the harm you personally suffered, that has to come from the organisation directly (which may agree to pay without going to court) or, if it will not, from a court claim.
What you can and cannot realistically claim
| You may realistically be able to claim for | You are unlikely to get compensation for |
|---|---|
| A quantifiable financial loss caused by the breach, such as money lost to fraud enabled by leaked details, or the cost of replacing compromised documents | Simply being told your data was included in a breach, with no further loss or distress |
| Genuine, evidenced distress or anxiety caused by that specific breach, particularly where the exposed data was sensitive (health, financial, sexual orientation, and similar) | A uniform, automatic per-person payment through a group claim, following the Supreme Court's rejection of that model in Lloyd v Google |
| A combined claim covering both financial loss and distress arising from the same incident | Speculative or hypothetical future harm that has not actually materialised |
| Compensation direct from the organisation responsible, either by agreement or through a court claim | Any payment from the ICO itself; it is a regulator, not a compensation fund |
The common thread is evidence. A court, or an organisation deciding whether to settle, will want to see something specific: a bank statement showing a fraudulent transaction, records of time and money spent resolving identity fraud, or a credible, well-founded account of anxiety or distress tied to that breach, rather than a general sense that a data breach happened somewhere and your details were in it.
The realistic route: organisation, then ICO, then court
- Complain to the organisation first. Most organisations have a complaints process, and some will offer redress or compensation directly without you needing to go further. See the ICO complaint guide for how to escalate if the organisation does not respond properly.
- Complain to the ICO if the organisation does not resolve it. The ICO can investigate and, where it finds a breach of the law, take regulatory action against the organisation. It will not, however, pay you compensation itself, and it does not decide individual compensation disputes.
- Bring a court claim only where you can show real loss or distress. This is a civil claim, brought in the courts rather than through the ICO, and the route differs slightly by nation (the ICO signposts separate court guidance for England and Wales, Scotland, and Northern Ireland). The ICO strongly recommends taking independent legal advice on the strength of your case before starting any court claim, and that is worth taking seriously: without evidence of real damage or genuine distress, a claim is unlikely to succeed after Lloyd v Google.

Claims-management companies: why "you could be owed £X" is not how this works
Data breaches are heavily advertised territory for claims-management companies (CMCs), some of which are authorised and regulated by the Financial Conduct Authority. Adverts and unsolicited calls or texts claiming you are "owed" a specific sum, or that you automatically qualify for a payout because your details appeared in a particular breach, do not reflect how the law actually works after Lloyd v Google. No court or regulator hands out uniform per-person sums just because a breach happened.
If you are contacted this way, be sceptical of promised figures, ask what evidence of your own loss or distress they will actually need (if the answer is none, that is a warning sign), and check what percentage of any award the company takes as a fee before you sign anything. You are free to complain to the organisation and the ICO yourself for nothing, and you can instruct a solicitor directly on a case that has genuine evidence behind it, rather than going through an intermediary that profits from volume.
Where this fits with your other UK data protection rights
Compensation is one part of a wider set of data protection rights that sit alongside each other. If you are not sure a breach even involved your personal data, a subject access request is the way to find out what an organisation actually holds and processes about you. The broader legal framework behind all of this, including the lawful bases organisations rely on and the principles they must follow, is covered in the UK GDPR explained guide, and the ICO complaint guide walks through the regulatory route in more detail. For the fuller picture of UK data protection and disclosure rules, see the UK Data Privacy hub and the United Kingdom hub.

This article is for general information only and is not legal advice. It does not offer to assess, submit or pursue any compensation claim on your behalf. If you believe you have suffered real financial loss or genuine distress from a data breach, consider taking independent legal advice before starting a claim. For the wider picture of UK data protection rights, see the UK Data Privacy hub and the United Kingdom hub.
Frequently Asked Questions
Does the ICO pay me compensation after a data breach?
No. The ICO can investigate a breach and fine the organisation responsible, but that fine is a regulatory penalty, not a payment to affected individuals. Compensation has to come from the organisation itself, either by agreement or through a court claim.
What did Lloyd v Google actually decide?
In Lloyd v Google LLC [2021] UKSC 50, the Supreme Court held that a bare loss of control over personal data, without proof of financial loss or genuine distress, does not by itself entitle someone to compensation, and it rejected a uniform, automatic per-person award across a large group of claimants.
What can I actually claim compensation for after a data breach?
You can claim for material damage, a quantifiable financial loss caused by the breach, and non-material damage, genuine distress caused by that specific breach. You generally need evidence of one or the other; simply having your data included in a breach, with no further consequence, is unlikely to succeed on its own.
How do I start a data breach compensation claim?
Complain to the organisation first, since some will resolve it directly. If that fails, complain to the ICO, which can investigate and take regulatory action but cannot award you compensation. A court claim, with independent legal advice, is the option for cases with real loss or distress to prove.
Are the adverts saying I could be owed a set amount of compensation accurate?
Generally no. Adverts or calls suggesting an automatic payout simply because your data was in a breach do not reflect the law after Lloyd v Google, which rejected uniform per-person awards without individual proof of harm. Be sceptical of any promised figure and check what fee a claims-management company would take.
Is there a difference between an ICO fine and my own compensation?
Yes. An ICO fine is a regulatory penalty paid by the organisation to the state, intended to punish and deter poor practice. It is entirely separate from any compensation you personally might be owed, which is a civil claim against the organisation, not something the ICO distributes.
Do I need a solicitor to claim data breach compensation?
Not always, but the ICO strongly recommends taking independent legal advice on the strength of your case before going to court, particularly given how narrowly Lloyd v Google limits claims based on loss of control alone. For a claim with genuine evidence of loss or distress, a solicitor can help assess whether it is worth pursuing.
Sources and References
- ICO: Taking your case to court and claiming compensation(ico.org.uk).gov
- UK GDPR Article 82: Right to compensation and liability(legislation.gov.uk).gov
- Data Protection Act 2018, section 168: Compensation for contravention of the UK GDPR(legislation.gov.uk).gov
- UK Supreme Court: Lloyd (Respondent) v Google LLC (Appellant) [2021] UKSC 50(supremecourt.uk).gov
- FCA: Claims management companies, our regulation(fca.org.uk).gov