Can I Sue A Company For a Data Breach?

Last updated 29 August 2025. The answer to ‘Can I sue a company for a data breach?’ is yes, provided that you are able to show that you suffered emotional distress or financial loss (or both) due to an organisation failing to protect your personal information. To make a claim in the UK, you’ll need supportive evidence and may want to reach out to a specialist solicitor, who may be able to represent you on a No Win No Fee basis.

We start our guide by looking at the criteria to claim for a personal data breach. Following this, we look at how data breach compensation may be calculated. Next, you can find information on common causes of data breaches and what happens when companies breach data protection regulations. Finally, at the end of this guide, you can find information on how to make a claim and how we could help you.

Get in touch with us to learn more about data breach claims:

Browse Our Guide

Am I Eligible To Sue A Company For A Data Breach?

Before we answer the question, “Can I sue a company for a data breach?”, we will first define what a data breach is. This occurs when a third party, such as a data processor or data controller, has a security breach that affects your personal data.

A breach may be caused by human error or a deliberate act. Your data will have been either:

  • Lost
  • Altered
  • Unlawfully or accidentally destroyed
  • Accessed
  • Disclosed without authorisation

Any company which handles or processes your personal data must adhere to specific regulations. They must comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

To sue a company for a data breach, you must show that:

  1. The company failed to adhere to the regulations and rules, as set out in the legislation above.
  2. This failure caused a breach in which your personal data was compromised.
  3. The personal data breach caused you a psychological injury or financial loss.

If you can show that your claim meets these criteria, you may be able to sue a company. Our team could review your case and determine whether you have a valid claim.

How Much Compensation Can I Claim?

If you successfully sue a company for a data breach, you may be awarded a settlement. This settlement could compensate you for the emotional and psychological impact of the breach, referred to as non-material damage. For example, you could suffer psychological injuries such as post-traumatic stress disorder or anxiety due to a data breach if the breach exposed your personal information.

Associated financial losses resulting from the breach are known as material damage. For example, you may have lost income due to taking time off work as a result of suffering anxiety or stress. You may also claim compensation for the cost of counselling services.

Use Our Data Breach Compensation Calculator

Compensation for psychological injuries may be valued by using the Judicial College Guidelines (JCG). The JCG provides guideline brackets covering different types of psychological and physical injuries.

We have taken entries from the JCG, which you can find in the following table. Please note that the first entry is not taken from the JCG. This illustrates an award for a case that involves financial losses. The entries in this table should only be taken as illustrative, and not as any compensation guarantee.

Type of HarmDamagesSeverity
Psychiatric damage or PTSD with significant financial lossesUp to £500,000 or moreSevere
Psychiatric Damage - Generally£66,920 to £141,240Severe
£23,270 to £66,920Moderately Severe
£7,150 to £23,270Moderate
£1,880 to £7,150Less Severe
Post-Traumatic Stress Disorder (PTSD)£73,050 to £122,850Severe
£28,250 to £73,050Moderately Severe
£9,980 to £28,250Moderate
£4,820 £9,980Less Severe

You will need to supply evidence of any financial losses you wish to claim. Evidence could include your bank statements and copies of invoices.

Our team could help to assess what you may be eligible to claim if a data breach has occurred.

Common Causes Of Data Breach Claims

There are numerous potential causes of a data breach. Some examples may be relatively straightforward, whilst others could involve complicated scenarios. Data breaches could be caused by human errors or may be the result of delivery and sophisticated cybercrime.

Some of the most common causes of data breaches could include:

  • Lost or stolen devices – these may contain customers’ personal and/or sensitive information. For example, an employee could breach the UK GDPR by losing a laptop containing customers’ personal data.
  • Phishing – cyber criminals may use deceptive messages (such as emails) or websites to trick employees into sharing sensitive information. Companies should provide employees with adequate training to avoid these attempts.
  • Wrong postal or email address – an employee may send customers’ data to the wrong postal address, wrong email address or send it to the wrong fax number. This could mean people’s data is sent to the wrong person.
  • Loss or theft of physical documents – this could be caused by the failure to properly store and secure physical paperwork.

These are just some examples of how a data breach could occur. You can learn more about common types and causes of data breaches in a report on data security incident trends, published by the Information Commissioner’s Office (ICO). The ICO is the regulator for information and data protection rights in the UK.

Please contact our team if you have received a data breach notification or suspect a company has breached data protection law

A computer monitor displays a fraud alert

What Happens When A Company Breaches GDPR?

What happens if a company breaches GDPR? If this happens, the breach must be reported to the ICO within 72 hours.

The ICO has a variety of enforcement powers which it may use in the event a company has a data breach. For example, in the event of a serious data protection breach, the ICO may fine a company. The fine may be up to £17.5 million or 4% of annual global turnover, whichever is higher.

Other enforcement actions may include:

  • Issuing a warning to the company.
  • Issuing an assessment notice.
  • Sending an enforcement notice to the company.
  • Sending a reprimand to the company.

In addition, those impacted by the breach may be able to take legal action against the company.

You can find data breach guidance for families and individuals in this resource from the National Cyber Security Council. Our team can also provide further help and advice.

A computer monitor displays a fraud alert

How To Make A Data Breach Claim

Having answered the question “Can I sue a company for data breach?” and having looked at what happens if a company breaches the UK GDPR, we now examine the data breach claims process.

Gather Evidence To Support Your Claim

One of the most important parts of the claims process is gathering evidence. You must submit sufficient evidence to show that a third party who was responsible breached data protection law.

You should collect evidence which shows:

  • What has happened? How did the data breach occur?
  • Who was responsible for the data breach?
  • What impact has the breach had on you?

Types of evidence you could collect and submit with your claim could include:

  • A letter of notification from the company about the data breach.
  • Any correspondence between you and the ICO.
  • Medical records showing the impact the breach had on your mental health, such as the development of conditions including anxiety and other types of psychological injury.
  • Bank statements, receipts and any other forms of evidence showing financial losses.

If you choose to claim with a data breach solicitor from our panel they could help you to claim compensation.

How Long You Have To Make A Claim

If you think your data privacy has been breached, you should notify the organisation or company you believe is responsible. This party then has 1 month to respond to you. In order to claim compensation, you should report the data breach as soon as possible and start the claim within the relevant time limit.

Call to check if you are still in time to start a claim.

Considering A No Win No Fee Solicitor

If you have a valid data breach claim against a company, a specialist data breach solicitor from our panel could help you. All the solicitors who make up our panel could help people to claim against a company for a data breach on a No Win No Fee basis. To do so, they could offer you a Conditional Fee Agreement (CFA).

The main benefits of using a CFA include:

  • Getting help from a specialist solicitor who could explain data protection law and help guide you through your claim.
  • There are no solicitor’s fees to pay upfront before the case starts.
  • No fees to pay for the solicitor’s work whilst the claim is underway.
  • Nothing to pay for the solicitors’ work if the claim fails.

If your case is successful, you will pay a solicitor’s fee, called a success fee. This success fee is limited by law to a small percentage of your compensation. This ensures that you retain the bulk of the damages.

Contact us to get free advice and to find out if you are eligible to claim.

How Public Interest Lawyers Can Help You Claim

The solicitors who make up our panel are specialists in helping people to make data breach claims. They could help by:

  • Explaining examples of data breach claims.
  • Helping you to gather supporting evidence.
  • Explaining how the claims process works as well as terminology which may be used.
  • Helping you to build your claim.
  • Negotiating with the other party to get you the best possible settlement.

Learn more about how to sue a company for a data breach by:

A solicitor helps someone to claim data breach compensation.

More Information

You can find more helpful resources and information on dealing with a personal data breach below.

Our related guides:

Extrenal guides:

We hope our guide has answered the question, “Can I Sue a company for a data breach?” For more information on making a personal data breach claim, get in touch with our team.