Skip to content

Data Breach Complaints

ComplaintsReviewed by Civil Help editorial team: 8 November 2025Next review: 8 June 20275 min
Verified against 4 sources
  • https://ico.org.uk/make-a-complaint/
  • https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
  • https://www.legislation.gov.uk/ukpga/2018/12/contents
  • https://www.legislation.gov.uk/eur/2016/679/contents

A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.

Key points

  • Organisations must notify you of a personal data breach that poses a high risk to your rights and freedoms.
  • You can complain to the ICO if you believe an organisation has mishandled your data or failed to notify you of a breach.
  • You can claim compensation for damage (including distress) caused by a data breach under UK GDPR.
  • Act quickly if your financial data was involved — contact your bank immediately and monitor your accounts.

What to Do When You Discover a Breach

If you discover your personal data has been breached — whether through a notification from the organisation, a news report, or noticing suspicious activity on your accounts:

  • If financial data was involved: Contact your bank or card provider immediately. Request replacement cards if your card details may have been compromised. Monitor your statements for any unauthorised transactions and report them to your bank at once.
  • If login credentials were involved: Change your passwords on the affected service and any other services where you use the same password. Enable two-factor authentication where available.
  • Check your credit file: Use a free credit checking service to see if any credit applications have been made in your name.
  • Report fraud: If you believe you have been a victim of identity fraud resulting from the breach, report to Action Fraud (actionfraud.police.uk).

Complaining to the ICO

If you believe an organisation has breached your data rights — by failing to protect your data adequately, failing to notify you of a breach, or mishandling your data in any other way — you can complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

The ICO is the UK's data protection regulator. It can investigate organisations and issue enforcement notices, fines, or require specific action. However, the ICO cannot itself award you compensation — for compensation, you must pursue a civil claim.

Before complaining to the ICO, raise your concern directly with the organisation first. Give them a reasonable period to respond (usually around four weeks). If they do not respond satisfactorily, you can then escalate to the ICO.

Claiming Compensation for a Data Breach

Under Article 82 of UK GDPR, you have the right to claim compensation from an organisation that has breached your data rights if you have suffered damage as a result. Damage includes both material damage (financial loss) and non-material damage (distress, anxiety, loss of control over personal information).

To claim compensation:

  • Write to the organisation's Data Protection Officer (DPO) setting out the breach, the damage you have suffered, and the compensation you are seeking
  • If the organisation refuses, you can issue a civil claim in the County Court
  • Some solicitors take data breach compensation claims on a no-win no-fee basis for larger breaches

Be wary of claims management companies advertising data breach compensation — they often charge high fees that reduce your net compensation significantly.

The ICO Complaints Process in Detail, Evidence to Gather, and Group Actions

The Information Commissioner's Office (ICO) is the UK's independent data protection regulator, established under the Data Protection Act 2018. Understanding how the ICO investigates complaints — and its limitations — helps you decide whether an ICO complaint, a civil claim, or both is the right approach for your situation.

The ICO complaints process: Before complaining to the ICO, you must raise your concern directly with the organisation and allow them a reasonable period to respond — typically three months. The ICO's online complaint form asks you to confirm this step. Once submitted, the ICO will assess whether your complaint falls within its remit and whether it raises issues that warrant investigation. The ICO receives a very large volume of complaints and prioritises those that raise potential systemic failures or serious harms. For individual low-level complaints, the ICO may close the case with guidance rather than a formal investigation. This does not prevent you pursuing a civil compensation claim.

Evidence to gather for an ICO complaint and civil claim: Document everything from the moment you discover or suspect a breach. Your evidence file should contain: the notification from the organisation (if you received one) with the date; a description of what data was affected (your name, address, financial details, health information, etc.); evidence of any harm suffered — financial fraud, identity theft, distress — with as much documentation as possible (bank statements, medical notes, records of emotional impact); your correspondence with the organisation's DPO; the organisation's response or lack of response; screenshots of any unauthorised use of your data (for example, fraudulent accounts or applications made in your name); and a credit file check showing any adverse entries resulting from the breach.

What the ICO can and cannot do: The ICO can investigate organisations and issue enforcement notices, monetary penalties (fines), information notices, and orders requiring specific action. However, the ICO cannot itself award you compensation — for that, you need a civil claim. An ICO investigation or enforcement decision can be very useful evidence in a civil claim, as it establishes the facts of the breach and the organisation's culpability. The ICO also has a complaints resolution function for less serious cases, which can result in the organisation being required to take specific action (for example, deleting data or providing a proper subject access response) without a formal enforcement notice.

Group litigation for large-scale breaches: Where a data breach has affected many people — such as large-scale cyber attacks or systemic data mishandling — group litigation actions (brought by claimants collectively) can be an effective route. Several data breach group actions have resulted in settlements, including actions against major retailers, healthcare providers, and public sector bodies. If you were affected by a widely reported data breach, search for existing group actions before bringing an individual claim — joining an existing action is often more efficient and cost-effective than bringing a claim alone. Specialist data protection solicitors and law firms advertising class actions can advise on whether a group action is available for your breach.

Frequently asked questions

Do I need to report a data breach to the police?
You do not need to report a data breach to the police unless it involves criminal activity — such as identity theft or fraud. If you believe your data is being actively used for fraud, report to Action Fraud. The ICO handles regulatory complaints about organisations' data handling; the police handle criminal investigations.
How do I know if my data has been part of a breach?
The organisation that suffered the breach should notify you if the breach poses a high risk to your rights and freedoms. You can also check tools like HaveIBeenPwned.com to see if your email address appears in known data breach datasets. Monitoring your credit file and bank statements for unusual activity is also advisable.
How much compensation can I claim for a data breach?
There is no fixed amount — compensation is assessed based on the severity of the breach, the sensitivity of the data involved, and the impact on you. Small-scale breaches typically attract modest amounts (hundreds of pounds for distress). Large-scale breaches involving sensitive categories of data (health records, financial information) can attract higher amounts. Some group litigation actions have achieved larger settlements.
The organisation says they have fixed the breach and there is no ongoing risk — do I still have a claim?
Yes, if you suffered damage as a result of the breach — even if the organisation has now remedied the vulnerability. Under Article 82 of UK GDPR, your right to compensation arises from the breach itself and the damage it caused, not from whether the breach is ongoing. Document the impact on you (distress, any financial loss, time spent dealing with consequences) and pursue a civil claim or ICO complaint regardless of what remedial steps the organisation has taken.
Can I complain about an NHS trust sharing my medical records without my consent?
Yes. Unauthorised disclosure of health records is a serious data breach. Raise a formal complaint directly with the NHS trust's Data Protection Officer first. If you are not satisfied with the response, complain to the ICO — health data is a special category of data under UK GDPR and attracts higher protection. You may also have a civil claim for compensation if the disclosure caused you distress or other damage. The ICO has taken enforcement action against NHS organisations for health data breaches.

What to do next

  1. 1
    Make a data breach complaint to the ICO

    Report an organisation's data breach to the ICO.

  2. 2
    Report identity fraud to Action Fraud

    Report fraud resulting from a data breach.

  3. 3
    Check if your data was in a known breach

    Check HaveIBeenPwned for known data breach exposure.

Official bodies and resources

Information Commissioner's Office

Regulator

The UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Was this page helpful?

Related guides

Social Media and Online Platform Complaints

Complaints about social media and online platforms — including content moderation decisions, data privacy issues, marketplace disputes, and harmful content — are a growing area of consumer concern. The UK's Online Safety Act 2023 has introduced new obligations on platforms, and Ofcom now oversees online safety regulation.

5 min

Building Your Complaint Evidence

A well-evidenced complaint is far more likely to succeed. Whether you are complaining to a financial firm, an energy supplier, the NHS, or a local council, the quality of your evidence determines how seriously your complaint will be taken — and how quickly it will be resolved.

5 min read

How to Complain Effectively in the UK

Making a formal complaint can feel daunting, but a well-structured complaint significantly increases your chances of a satisfactory outcome. In the UK, most businesses and public bodies are required to have a complaints procedure, and following the right process gives you access to independent resolution if things go wrong.

6 min read

Complaints About Professionals

When a professional — a solicitor, financial adviser, accountant, surveyor, or doctor — falls below the standard you have a right to expect, you have both contractual rights (for poor service) and regulatory rights (to report misconduct). This guide sets out the complaint routes for common regulated professions.

6 min

Complaining to the Information Commissioner about a Data Breach

The Information Commissioner's Office (ICO) regulates data protection in the UK. They handle complaints about misuse of personal data, failure to respond to Subject Access Requests, marketing breaches under PECR, and breaches of UK GDPR. Many complaints are resolved with a written reminder to the organisation; serious breaches lead to fines up to £17.5 million. This guide explains how to use the ICO and how to claim separately for compensation.

9 min

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.