Data-Breach.com has dealt with over 14,000 data breach enquiries

Call free

Can I Claim GDPR Compensation For Distress UK?

Man distressed from GDPR breach

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

Many people entrust their personal information to companies. These companies are bound by law to keep it safe. If your personal data has been breached, you may be stressed about who might have access to this information or how it will be used. You may also want to know if you can hold companies that fail to protect your personal data accountable and whether you could claim compensation for the harm you have suffered.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, sit together as data protection laws and set out the rules and regulations a data controller or data processor must follow when processing personal data. Data controllers are organisations that decide why and how your data is being processed. Data processors are organisations external to a data controller that processes personal data on their behalf.

A failure to follow these laws could result in a data breach and cause you emotional distress and also financial loss. If this is the case, you could be eligible to claim compensation.

Below, we discuss in more depth how to make a claim under the UK GDPR for compensation for distress caused by a data breach.

What Is Considered “Distress” When Making A Claim Under The UK GDPR? 

For many, the idea of someone else having unauthorised access to their information can cause significant distress. This is why you could claim under the UK GDPR for compensation for distress.

Here are some of the types of mental health conditions that you may be able to claim data breach compensation for under the UK GDPR: 

  • Anxiety/Depression – Anxiety is a mental health condition that surrounds constant streams of negative thoughts and overanalysis, whereas depression is a consistent low mood that makes even small things require considerable effort. If the misuse of personal data results in these mental conditions in the form of ongoing feelings of fear, worry, hopelessness, etc., then this may warrant compensation. 
  • Post Traumantic Stress Disorder PTSD – is a mental health condition caused by very stressful, traumatic, frightening or distressing events.
  • Stress/Distress – Distress can occur if stress is severe, prolonged, or both.

What Could Cause These Conditions?

  • Fear of Identity Theft – Data breaches could expose information that can be used to launch identity theft campaigns. This can be anything from national insurance numbers to bank account details and contact information. Regardless, the fear of having your identity stolen to commit crimes such as theft can result in an overbearing amount of stress. 
  • Fear of Humiliation —Some information, such as past names and convictions, may result in shame and humiliation if it were ever to be revealed. This can result in a fear that life as it is known may be affected and that your personal relationships may also be impacted.
  • Damage to Reputation – A data breach may reveal information that could destroy your professional or personal life, such as information regarding any outstanding loans. This looming threat may result in damaged trust and credibility and cause you to suffer psychologically.

Vidal-Hall vs Google Inc (2015)

Court cases throughout history have a habit of creating ‘legal precedent’. This means that the outcome of a case becomes a possible standard for companies or people in a similar predicament. Vidal-Hall vs Google was one of these cases.

This case made it possible to claim for distress when no financial damage was being claimed for. Before this case it was only possible to claim for harm to your mental health following a breach of/or misue of information if you also suffered financial losses brought on by the incident.

As a result, the answer is definitively yes, you can claim under the UK GDPR for compensation for distress following a personal data breach that was caused by an organisation failing to adhere to data protection law. 

How Can I Prove Emotional Distress To Claim Compensation?

While it’s possible to claim compensation for a data breach as long as you meet the eligibility criteria, you may need to provide evidence of the distress you suffered. If you decide to work with a lawyer on your case, they could help you with gathering evidence. Some examples of evidence you could gather include:

  • Medical Records – Records of your visits from therapists, doctors, etc. following a personal data breach can be used to prove the psychological harm you have suffered.
  • Testimony from Professionals – People who treated you can be contacted to provide testimony. 
  • Witness Statements – Individuals who are close to you can offer witness statements that detail the changes they observed in your behaviour after the data breach.  
  • Personal Journal Entries – Maintaining a record of your mental health changes would go a long way in tracking how you’ve felt throughout that time.

How Much UK GDPR Compensation Am I Entitled To?

There is no average amount of compensation that could be awarded for a successful data breach claim. This is because compensation is awarded on a case-by-case basis. How much compensation you could receive will depend on the unique factors of your case. Some factors that will be taken into consideration when making a claim under the UK GDPR for compensation for distress include: 

  • Duration of Distress – Prolonged emotional suffering caused by a breach is more likely to lead to higher compensation. 
  • Extent of Disruption – How impactful has the disruption been? Severe disruptions to work, social relationships, and general life will be considered much greater reasons to access higher compensation than not. 
  • Expected Recovery – The extent of recovery you are expected to make and how long this recovery will take can also influence the amount of compensation awarded to you.
  • Financial Losses Suffered – For example, if you had to pay for therapy for the distress you suffered following a personal data breach, or take time off work, these lost earnings and costs could potentially be claimed back, and affect the amount of your overall settlement.

The Process Of Making a UK GDPR Compensation Claim

Pursuing compensation can be daunting, but we’re here to provide a roadmap that you can follow, starting from the moment you learn that your data has been compromised. 

Contact a Data Breach Lawyer

Lawyers come in different fields of expertise, and the rise in data breach claims has given rise to Data Breach specialists. Working with a special data breach lawyer on your case comes with various advantages as they could help you with:

  • Gathering evidence to support your claim.
  • Communicating with the defendant.
  • Explaining any legal jargon used throughout the claims process to you.
  • Negotiating a compensation settlement on your behalf.

Data-Breach.com provides access to a host of specialist data breach lawyers who will give you legal support in data breach compensation claims. The best part is that our lawyers work on a No Win No Fee basis. This means that your lawyer will take a legally-capped success fee from the compensation awarded to you if your claim is a success. In the event of an unsuccessful claim, you will not need to pay your lawyer for the services they have provided. 

Document Everything

Documentation is vital to ensure that your claim is strong. Gather and organise the following information:

  • Confirmation of Your Data Being Breached – If an orgnaisation becomes aware that your personal data has been breached, they must inform you what information has been breached without undue delay if they believe you rights or freedom could be at risk. This confirmation may be via a letter or email and could be used as evidence within your claim that your personal data has been breached.
  • Dates of Communication – Note down any dates of interactions made with the responsible organisation regarding the data breach. Record the names of the people you speak to and any emails or other correspondence.
  • Resulting Distress – Make sure you document appointments made to therapists or doctors after the data breach. Ask for a note or some other type of proof that you’ve attended and what the outcome of those appointments were.

Contact The ICO

In the UK, the supervisory authority is the Information Commissioner’s Office (ICO) when it comes to data protection. Following a breach of your personal data you could make a complaint to the ICO. They may then decide to investigate the breach and their findings could be used as evidence in your claim. However, this complaint must be made within three months of the last meaningful communication you had with the organisation responsible for the breach. 

Conclusion

All in all, you should now have a clearer understanding of claiming under the UK GDPR for compensation for distress following a personal data breach.

If you have suffered psychological harm due to a personal data breach, you can contact us to see how we could help you.

Can I Claim UK GDPR Compensation For Distress? – FAQs

What is the UK GDPR, and how does it protect me? 

The UK GDPR provides rules on how personal data is collected, used, stored and disposed of by organisations. It grants individuals rights regarding their data, ensuring the right to access, rectify, erase, and restrict processing. 

Organisations must be clear with the information they collect, and how they use your data. They will be accountable for keeping this data secure using several security practices.

Are there any circumstances where a data breach has occurred but you would be unable to claim?

There may be certain circumstances where a data breach has occurred, but you may be unable to make a claim. Some examples include

  • Data Protection Laws Were Adhered To – If an organisation can prove that they took all the necessary steps and measures to protect your personal data and it was still breached, you might not be able to make a data breach distress compensation claim.
  • No Harm Was Suffered – If your personal data was compromised in a breach, but you suffered no financial or psychological harm, you could not make a claim for compensation.
  • Your Personal Data Was Not Affected – If a data breach occurred but your personal data was not compromised in this breach, you would be unable to claim. 

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

We're ready to help you get the compensation you deserve

Alternatively, give one of our solicitors a call free on 0333 241 2521

Lines open 9am – 5pm Mon to Fri

Has your data been handled incorrectly?