Behind the Numbers

This calculator uses the Judicial College Guidelines – the same framework UK courts reference when awarding damages. Compensation splits into two buckets: material damage (actual money you lost) and non-material damage (the psychological toll).

Material damage is straightforward – add up fraud losses, credit monitoring fees, therapy bills, and wages lost from time off work. Non-material damage is trickier. Courts assess severity from “less severe” (£1,880-£7,150 for temporary anxiety) to “severe” (£66,920-£141,240 for permanent psychiatric harm). PTSD claims range £4,820-£122,850 depending on recovery prospects.

We pull compensation brackets from ICO enforcement data, actual court settlements, and guidance published by Gov.uk and the Information Commissioner’s Office. The calculator weights factors like data sensitivity (medical records score higher than email addresses), company negligence (did they ignore warnings?), and whether identity theft occurred.

This is based on average data patterns across thousands of UK GDPR claims. Your situation may differ – a solicitor can review specifics. But this gives you the honest number most organisations will pay to avoid court.

Why Your Data Has a Price Tag Now

UK businesses faced 8.58 million cybercrimes in the last year alone. That’s not a typo. The government’s 2025 Cyber Security Breaches Survey found 43% of UK businesses detected breaches or attacks – down from 50% in 2024, but still nearly half. The average cost per business hit £990 when you exclude phishing.

Meanwhile, the ICO is handing out record fines. Capita got slapped with £14 million in November 2025 after 6.6 million people had data stolen – pension details, criminal records, home addresses, the works. Originally £45 million before they cooperated. These fines don’t go to victims. You have to claim separately.

The UK GDPR changed the game. Before 2018, claiming for distress alone was nearly impossible. Now? If a breach causes you anxiety, sleep problems, or embarrassment, that’s compensable. You don’t need financial loss. Courts have awarded £250 for minimal distress and £72,000+ for severe cases.

Here’s what most people miss: companies must report serious breaches to the ICO within 72 hours and notify affected individuals. If they didn’t tell you promptly, that’s evidence of negligence. Keep every email, text, or letter. Those become your claim evidence. The clock starts ticking from the breach date, not when you discover it – but you have 6 years to file.

What Real People Got Paid

What Different Breaches Pay

FAQs

Can I claim if no money was stolen?

Yes. UK GDPR compensation covers non-material damage like distress, anxiety, and embarrassment. If the breach caused you worry about identity theft, disrupted your sleep, or made you feel violated, that’s claimable. Financial loss increases your payout but isn’t required. Warren got £750 for a Currys breach with zero monetary loss.

How long do I have to make a claim?

Six years from the breach date for private companies. One year if claiming against public bodies like NHS trusts or councils. The clock starts when the breach occurred, not when you found out – but most solicitors advise claiming within 3 years for stronger evidence. Report to the ICO within 3 months of your last meaningful contact with the organisation.

What evidence do I need?

Keep every communication from the company – emails, letters, texts about the breach. Gather bank statements showing fraud losses, credit monitoring receipts, therapy bills. Medical evidence helps for psychological claims: GP notes, psychiatrist letters documenting anxiety or depression. Screenshots of breach notifications. Statements from family or coworkers who witnessed your distress. The more you document, the higher your payout.

Do companies usually settle or go to court?

Most settle. Going to court is expensive and public – companies prefer paying you off quietly. Solicitors estimate 70-80% of valid data breach claims settle before trial. Average settlements land in the £2,000-£8,000 range for moderate cases. Severe cases with strong evidence push £15,000-£50,000. Only the weakest or highest-value claims actually reach a courtroom.

Will claiming affect my relationship with the company?

They cannot legally retaliate. If it’s your employer, bank, or NHS trust, UK law protects you from adverse treatment for asserting GDPR rights. Solicitors handle claims professionally and confidentially. Companies deal with hundreds of breach claims – this is routine business to them. If you’re worried about retaliation, document everything and consider switching providers after settlement.

What’s No Win No Fee and how much do solicitors take?

No Win No Fee means you pay nothing upfront or ongoing. If you lose, you owe nothing. If you win, the solicitor takes a success fee – legally capped at 25-35% of your compensation. So a £10,000 payout becomes £6,500-£7,500 in your pocket after fees. Most breach solicitors operate this way because claims are low-risk and high-volume.

My company offered me £100 voucher to “settle” – should I take it?

Probably not. Companies lowball victims hoping they’ll accept peanuts and sign away rights. A £100 voucher for a medical record breach worth £5,000-£10,000 is insulting. Don’t sign anything without solicitor review. Once you accept settlement, you cannot claim more later. Get your case valued first, then negotiate from a position of knowledge.

What if the company went bust or is based overseas?

UK GDPR applies to any company processing UK residents’ data, regardless of location. If they have UK operations or customers, they’re liable. For bankrupt companies, claims can be filed against administrators or insurers – professional indemnity insurance often covers breach payouts. EU-based companies fall under reciprocal enforcement. US or other overseas firms are trickier but not impossible if they do business in the UK.

References