Article 82 GDPR: Compensation for Data Protection Breaches

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) set out strict rules on how businesses must use personal data. While we often hear about the risk of heavy fines that the Information Commissioner’s Office (ICO) can impose, there is another risk that businesses must not overlook – the risk of compensation claims from individuals. Data protection rights are fundamental rights that afford data subjects significant legal protection. Under the UK GDPR, individuals can claim compensation for damage resulting from a breach of the UK GDPR provisions.

For example, an individual brings a claim due to a personal data breach that compromised their data and caused loss. These claims can hit businesses hard, both financially and reputationally. This article explores data protection law rules, negative consequences your business could face for non-compliance, compensation for data protection breaches, and how to protect your business from risk.

Non-Compliance Risks

The UK GDPR and DPA 2018 apply to any business that handles personal data, regardless of size or industry. Since each business processes data differently, complying with the rules requires a tailored approach. You should carefully review your data processing activities, audit for weak spots in compliance, and take specific actions to address any gaps in your data protection practices. Regular audits and keeping up to date with legal updates and regulatory guidance will reduce the chance of breaches and claims.

The ICO enforces data protection laws and can take action against businesses that breach them, e.g., by issuing information notices, demanding changes to data practices, or imposing fines for serious violations.

Breaching data protection laws affects more than your compliance status; it can significantly harm your reputation. Individuals expect businesses to handle personal data securely and lawfully, so failing to do so can lead to a loss of trust, reputational damage, and missed business opportunities.

While fines are often the big news, compensation claims under Article 82 of the UK GDPR can have a financial and reputational impact and are increasingly threatening. In specific scenarios, individuals whose data you mishandle in breach of data protection law rules can claim compensation. If they are successful, the courts can legally require your business to pay them compensation for financial loss or emotional distress.

What is the Right to Claim Compensation?

Article 82 of the UK GDPR gives individuals the right to claim compensation if they suffer financial loss or emotional distress due to a data protection law breach. It states that anyone who suffers material (economic) or non-material (emotional) damage due to a violation of the UK GDPR can claim compensation from the data controller or (in some instances) the processor responsible – if the processor has breached its obligations under the UK GDPR or acted outside the lawful instructions of the controller. 

The ICO cannot award compensation, but individuals may approach your business directly to seek compensation. If your company refuses to pay, they may take the case to court. 

Compensation Considerations

To claim compensation, individuals must prove a breach occurred, they suffered damage, and the breach caused that damage. They must show that your business failed to comply with the law – for example, by processing data unlawfully or not securing data properly.

Suppose jointly liable controllers and processors are liable for the compensation. In that case, they may be held jointly and severally liable for the full compensation to ensure adequate protection for the data subject. However, your business will not be liable if you prove you were not responsible for the breach.

Why are Compensation Claims on the Rise?  

Nowadays, virtually everyone has heard of the GDPR, and individuals are increasingly savvy about their rights. Privacy is of utmost concern for many of us. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Compensation claims are increasing as more people become aware of their data rights and what they are entitled to. No-win, no-fee legal services have also made it easier for individuals to pursue claims, contributing to the rise in cases. For businesses, this means a growing risk of claims and ICO fines.

Common reasons individuals may file compensation claims might include:

• sending their personal data to the wrong person;
• failing to respond to Subject Access Requests correctly; and
• inadequate data security, which leads to breaches affecting an individual’s data. 

How Can Your Business Avoid Data Protection Risks?

Adopting strong data protection practices throughout your business may reduce the risk of enforcement action (such as administrative fines) and compensation claims. 

Compliance steps will look different for each individual business, but some common steps to help prevent risk include:

• auditing how you collect, process, and store data and determining the full extent of your compliance obligations through a data mapping exercise and data protection compliance plan can help ensure you do not miss any key responsibilities and have all bases covered in compliance action points; 
• keep up with changes in data protection law to ensure your activities remain compliant over time and avoid unlawful processing. Remember, business and the law can change quickly, so staying ahead is vital to preventing risk; 
• strengthen your data security, as poor data security can soon lead to risk. To address this, you can use strong measures such as encryption, restrict access to sensitive data, and regularly test your systems for vulnerabilities; 
• since human error causes many breaches, train your staff to understand their data protection responsibilities to help avoid risk; 
• create and test a clear breach response plan. Breaches can still happen even with good security. Your plan should include how to notify affected individuals and when to report to the ICO on time to avoid complaints arising; and 
• take legal advice from a data protection solicitor if you are unsure about any aspects of compliance – prevention is far better than cure, and a qualified solicitor can guide you on the extent of your compliance obligations.

Proactive Actions

Taking proactive actions can help you reduce the risk of breaches and protect yourself from legal claims from data subjects, which could be both hugely costly and drain your time and resources.

Key Takeaways

Although regulatory fines make the headlines, compensation claims also pose a significant risk to your business. These claims can cover financial losses and emotional distress and create economic and reputational harm for a company. To protect your business, implement strong data protection practices, stay updated on legal changes, and ensure you continuously prioritise compliance to avoid breaching your UK GDPR obligations.

If you need legal advice on UK GDPR compliance and taking measures that may help protect your business from potential compensation claims, our experienced data protection lawyers can help as part of our LegalVision membership. For a low monthly fee, you’ll have unlimited access to lawyers who can answer your questions, review your data protection policies, and guide you through complex compliance issues. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions