UKCan I get compensation for a data breach that caused me distress?
Yes, you may be entitled to compensation for distress caused by a data breach in the UK, even without financial loss, if the breach resulted from a controller’s failure to comply with UK GDPR or the Data Protection Act 2018.
What the Law Says
UK law gives individuals a clear right to compensation when a data breach causes them harm — including emotional distress — if an organisation failed in its legal duties under data protection law.
Under the Data Protection Act 2018 (DPA 2018), Section 167 gives you the right to claim compensation from a data controller or processor if you suffer damage as a result of their contravention of the UK GDPR or the DPA itself.
The UK GDPR (retained EU law) Article 82(1) confirms this right, stating that 'any person who has suffered material or non-material damage as a result of an infringement... shall have the right to receive compensation'. Non-material damage includes distress, anxiety, and loss of control over personal data.
Crucially, you do not need to prove financial loss. Courts have confirmed that distress alone — if sufficiently serious — qualifies as compensable non-material damage.
Statutory TextA data subject who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
— UK GDPR, Art 82(1) — Right to compensation and liability
Statutory TextA person who suffers damage by reason of a contravention of this Act by a controller or processor is entitled to compensation for that damage from the controller or processor.
— Data Protection Act 2018, s. 167 — Compensation
What Courts Have Said
UK courts have clarified when distress rises to the level of actionable non-material damage — confirming it doesn’t require psychiatric injury, but must go beyond mere annoyance or upset.
The Court held that 'damage' under UK GDPR Art 82 requires proof of *some* adverse effect on the claimant — not just technical breaches — and that mere loss of control over data, without evidence of distress or other harm, is insufficient for compensation in a representative claim. However, individual claims for distress remain viable where properly evidenced.
The Court affirmed that distress arising from unlawful processing — such as unauthorised use of biometric data — can constitute non-material damage eligible for compensation under UK GDPR Art 82.
What to Do
Confirm the breach: Get written confirmation from the organisation or check if they reported it to the ICO.
Gather evidence: Keep records of distress (e.g., diary entries, medical notes, emails showing anxiety or sleep disruption).
Complain to the ICO within 2 months of the incident or your awareness of it — they may investigate and issue enforcement notices.
Send a formal letter before action to the controller, outlining your claim and seeking settlement.
If unresolved, issue a claim in the County Court (for claims under £10,000) or High Court — within 6 years of the breach.
Sources
Same Question, Other Jurisdictions
Canada
Australia
Ireland
Singapore
European Union
India
South Korea
US-California
US-New York
JapanNot legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.