Skip to main content
UK Data RightsUK GDPR8 min read · June 2026
Hero image, sourcing in progress

Your Rights After a UK Data Breach

When a company you use suffers a data breach and your personal data is exposed, UK law gives you specific rights, including the right to complain, the right to access your data, and the right to claim compensation. This guide explains what those rights are, how to exercise them, and what to do immediately after you receive a breach notification.

You have legal rights under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, organisations that handle your personal data have legal obligations to protect it. If they fail (and that failure causes you harm) you may be entitled to compensation, even if the harm is purely emotional distress.

What to Do Immediately After a Breach Notification

1

Read the breach notification

Note what data was exposed: email address, password, financial details, health data. The type of data determines the risk level and your next actions.

2

Change your password immediately

Change your password on the breached site. If you used the same password elsewhere, change it on every other account; criminals use breach data for credential stuffing attacks.

3

Enable two-factor authentication

Add 2FA to the affected account and any other accounts where the same email address or password was used.

4

Monitor your credit report and bank accounts

Check for unfamiliar accounts, applications, or transactions. If financial data was exposed, consider placing a fraud alert with the credit reference agencies.

5

Check Have I Been Pwned

Enter your email address at haveibeenpwned.com to see if your details have appeared in any other known data breaches.

Your Legal Rights Under UK GDPR

Right to be informed

You must be told about a high-risk breach promptly, in clear language, including what data was involved, the contact details of their Data Protection Officer, and the likely consequences.

Right of access (Subject Access Request)

You can ask any organisation to confirm whether they hold data about you and to provide a copy. Free, must be answered within one calendar month.

Right to erasure

In some circumstances, you can ask an organisation to delete your personal data. This right has limits; organisations can refuse if they have legitimate reasons to retain the data.

Right to compensation

Under UK GDPR Article 82, you can claim compensation for material damage (financial loss) or non-material damage (distress) caused by a data protection breach. Claims go through the courts.

Right to complain to the ICO

You can complain to the ICO at ico.org.uk. The ICO investigates, can issue fines, and can require organisations to change their practices. The ICO does not award compensation directly.

Claiming Compensation for a Data Breach

UK GDPR Article 82 gives individuals the right to claim compensation for both financial loss and distress caused by a data breach. Courts have awarded compensation in cases involving both types of harm.

  1. 1Document your experience: keep the breach notification email, note the dates, and record any distress or financial impact.
  2. 2Consider complaining to the ICO first: an ICO finding against the organisation strengthens your legal position, though it is not required before going to court.
  3. 3Contact a no-win no-fee data breach solicitor: many UK firms specialise in data breach claims and charge no upfront fees.
  4. 4File a claim in the County Court: small data breach claims can be submitted online through the Government's claim portal. Seek legal advice for complex cases.

Protect yourself before the next breach. Free.

You cannot stop companies from being breached, but you can limit the damage when they are. Cyber Nova AI gives you a personalised checklist to reduce your exposure: unique passwords, 2FA, and breach monitoring.

Start for free →

Related guides

UK GDPR Guide

How UK data protection law works and what organisations must do.

Identity Theft Guide

Data breaches are a major source of identity theft: here is what to watch for.

Have I Been Pwned Guide

Check if your email has appeared in known data breaches.

Frequently asked questions

Can I claim compensation after a UK data breach?

Yes. Under UK GDPR Article 82, you have the right to claim compensation for material damage (financial loss) or non-material damage (distress, anxiety) caused by a data breach. You can bring a claim directly through the courts. No-win no-fee law firms handle many data breach claims. You do not need to complain to the ICO first, but an ICO ruling in your favour strengthens your case.

What should I do if I receive a data breach notification?

First, read the notification carefully: it should say what data was exposed. Change any passwords associated with that account immediately, especially if the same password is used elsewhere. Enable two-factor authentication. Monitor your bank statements and credit report for unusual activity. If you believe the company failed to adequately protect your data, you can complain to the ICO.

How do I complain to the ICO about a data breach?

You can submit a complaint to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. The ICO will assess whether the organisation followed the rules. The ICO does not award compensation, but its findings can be used to support a compensation claim through the courts. The ICO can also issue fines and enforcement notices against organisations.

Does a company have to tell me if my data was breached?

Under UK GDPR, organisations must notify the ICO of a breach that risks individuals' rights and freedoms within 72 hours. They must notify affected individuals 'without undue delay' if the breach is high risk to them. However, not all breaches require individual notification, only high-risk ones. You can ask an organisation whether your data was involved using a Subject Access Request.