Data Breach Complaints
Verified against 4 sources
- https://ico.org.uk/make-a-complaint/
- https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
- https://www.legislation.gov.uk/ukpga/2018/12/contents
- https://www.legislation.gov.uk/eur/2016/679/contents
A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.
Key points
- Organisations must notify you of a personal data breach that poses a high risk to your rights and freedoms.
- You can complain to the ICO if you believe an organisation has mishandled your data or failed to notify you of a breach.
- You can claim compensation for damage (including distress) caused by a data breach under UK GDPR.
- Act quickly if your financial data was involved — contact your bank immediately and monitor your accounts.
What to Do When You Discover a Breach
If you discover your personal data has been breached — whether through a notification from the organisation, a news report, or noticing suspicious activity on your accounts:
- If financial data was involved: Contact your bank or card provider immediately. Request replacement cards if your card details may have been compromised. Monitor your statements for any unauthorised transactions and report them to your bank at once.
- If login credentials were involved: Change your passwords on the affected service and any other services where you use the same password. Enable two-factor authentication where available.
- Check your credit file: Use a free credit checking service to see if any credit applications have been made in your name.
- Report fraud: If you believe you have been a victim of identity fraud resulting from the breach, report to Action Fraud (actionfraud.police.uk).
Complaining to the ICO
If you believe an organisation has breached your data rights — by failing to protect your data adequately, failing to notify you of a breach, or mishandling your data in any other way — you can complain to the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
The ICO is the UK's data protection regulator. It can investigate organisations and issue enforcement notices, fines, or require specific action. However, the ICO cannot itself award you compensation — for compensation, you must pursue a civil claim.
Before complaining to the ICO, raise your concern directly with the organisation first. Give them a reasonable period to respond (usually around four weeks). If they do not respond satisfactorily, you can then escalate to the ICO.
Claiming Compensation for a Data Breach
Under Article 82 of UK GDPR, you have the right to claim compensation from an organisation that has breached your data rights if you have suffered damage as a result. Damage includes both material damage (financial loss) and non-material damage (distress, anxiety, loss of control over personal information).
To claim compensation:
- Write to the organisation's Data Protection Officer (DPO) setting out the breach, the damage you have suffered, and the compensation you are seeking
- If the organisation refuses, you can issue a civil claim in the County Court
- Some solicitors take data breach compensation claims on a no-win no-fee basis for larger breaches
Be wary of claims management companies advertising data breach compensation — they often charge high fees that reduce your net compensation significantly.
The ICO Complaints Process in Detail, Evidence to Gather, and Group Actions
The Information Commissioner's Office (ICO) is the UK's independent data protection regulator, established under the Data Protection Act 2018. Understanding how the ICO investigates complaints — and its limitations — helps you decide whether an ICO complaint, a civil claim, or both is the right approach for your situation.
The ICO complaints process: Before complaining to the ICO, you must raise your concern directly with the organisation and allow them a reasonable period to respond — typically three months. The ICO's online complaint form asks you to confirm this step. Once submitted, the ICO will assess whether your complaint falls within its remit and whether it raises issues that warrant investigation. The ICO receives a very large volume of complaints and prioritises those that raise potential systemic failures or serious harms. For individual low-level complaints, the ICO may close the case with guidance rather than a formal investigation. This does not prevent you pursuing a civil compensation claim.
Evidence to gather for an ICO complaint and civil claim: Document everything from the moment you discover or suspect a breach. Your evidence file should contain: the notification from the organisation (if you received one) with the date; a description of what data was affected (your name, address, financial details, health information, etc.); evidence of any harm suffered — financial fraud, identity theft, distress — with as much documentation as possible (bank statements, medical notes, records of emotional impact); your correspondence with the organisation's DPO; the organisation's response or lack of response; screenshots of any unauthorised use of your data (for example, fraudulent accounts or applications made in your name); and a credit file check showing any adverse entries resulting from the breach.
What the ICO can and cannot do: The ICO can investigate organisations and issue enforcement notices, monetary penalties (fines), information notices, and orders requiring specific action. However, the ICO cannot itself award you compensation — for that, you need a civil claim. An ICO investigation or enforcement decision can be very useful evidence in a civil claim, as it establishes the facts of the breach and the organisation's culpability. The ICO also has a complaints resolution function for less serious cases, which can result in the organisation being required to take specific action (for example, deleting data or providing a proper subject access response) without a formal enforcement notice.
Group litigation for large-scale breaches: Where a data breach has affected many people — such as large-scale cyber attacks or systemic data mishandling — group litigation actions (brought by claimants collectively) can be an effective route. Several data breach group actions have resulted in settlements, including actions against major retailers, healthcare providers, and public sector bodies. If you were affected by a widely reported data breach, search for existing group actions before bringing an individual claim — joining an existing action is often more efficient and cost-effective than bringing a claim alone. Specialist data protection solicitors and law firms advertising class actions can advise on whether a group action is available for your breach.
Frequently asked questions
Do I need to report a data breach to the police?
How do I know if my data has been part of a breach?
How much compensation can I claim for a data breach?
The organisation says they have fixed the breach and there is no ongoing risk — do I still have a claim?
Can I complain about an NHS trust sharing my medical records without my consent?
What to do next
- 1Make a data breach complaint to the ICO
Report an organisation's data breach to the ICO.
- 2Report identity fraud to Action Fraud
Report fraud resulting from a data breach.
- 3Check if your data was in a known breach
Check HaveIBeenPwned for known data breach exposure.
Official bodies and resources
Information Commissioner's Office
RegulatorThe UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.
Citizens Advice
CharityProvides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.
Was this page helpful?
Related guides
Social Media and Online Platform Complaints
Complaints about social media and online platforms — including content moderation decisions, data privacy issues, marketplace disputes, and harmful content — are a growing area of consumer concern. The UK's Online Safety Act 2023 has introduced new obligations on platforms, and Ofcom now oversees online safety regulation.
5 min
Building Your Complaint Evidence
A well-evidenced complaint is far more likely to succeed. Whether you are complaining to a financial firm, an energy supplier, the NHS, or a local council, the quality of your evidence determines how seriously your complaint will be taken — and how quickly it will be resolved.
5 min read
How to Complain Effectively in the UK
Making a formal complaint can feel daunting, but a well-structured complaint significantly increases your chances of a satisfactory outcome. In the UK, most businesses and public bodies are required to have a complaints procedure, and following the right process gives you access to independent resolution if things go wrong.
6 min read
Complaints About Professionals
When a professional — a solicitor, financial adviser, accountant, surveyor, or doctor — falls below the standard you have a right to expect, you have both contractual rights (for poor service) and regulatory rights (to report misconduct). This guide sets out the complaint routes for common regulated professions.
6 min
Complaining to the Information Commissioner about a Data Breach
The Information Commissioner's Office (ICO) regulates data protection in the UK. They handle complaints about misuse of personal data, failure to respond to Subject Access Requests, marketing breaches under PECR, and breaches of UK GDPR. Many complaints are resolved with a written reminder to the organisation; serious breaches lead to fines up to £17.5 million. This guide explains how to use the ICO and how to claim separately for compensation.
9 min
Disclaimer