GDPR Distress Compensation
Following the 2025 Court of Appeal ruling, you no longer need to prove financial loss to claim compensation for distress caused by a data breach.
Anxiety, stress, embarrassment, or loss of sleep from a data breach are all valid grounds for a GDPR distress claim under UK GDPR Article 82.
What changed?
Before (Lloyd v Google)
Claims required proof of financial loss or a high threshold of distress. Many valid claims were dismissed.
Now (2025 Court of Appeal)
The distress threshold has been removed. Any genuine distress from a data breach, including anxiety, sleeplessness, or embarrassment, is sufficient.
What you can do
Submit a Subject Access Request (SAR)
Find out what data the organisation holds about you and how the breach occurred.
File an erasure request
Request deletion of your personal data under Article 17 (right to be forgotten).
Complain to the ICO
The Information Commissioner can investigate and fine organisations up to £17.5m or 4% of turnover.
Claim distress compensation
Under UK GDPR Article 82, claim compensation for the anxiety, stress, and disruption caused by the breach.
Legal basis
UK GDPR Article 82: Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor.
DPA 2018 s.168: Provides a statutory right to compensation for data protection breaches in domestic law.
Vidal-Hall v Google [2015]: Established that distress-only claims are valid under data protection law. The 2025 ruling lowered the threshold further.