Data Breach Notification in the UK — Your Rights and What to Do
When a company suffers a data breach that affects your personal data, they are required by law to notify you if the breach is likely to result in a high risk to your rights and freedoms. This guide explains what you're entitled to know, what the company must do, and what you can do if you believe they've handled the breach poorly.
What UK Law Requires of Companies
Under UK GDPR(the UK's post-Brexit data protection framework, which mirrors the EU GDPR), companies must:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that poses a risk to individuals
- Notify affected individuals without undue delay if the breach is likely to result in high risk — such as financial harm, identity theft, or significant distress
- Tell you: what data was involved, what happened, what they are doing about it, and what you can do to protect yourself
What Companies Do Not Have to Tell You
Companies do not have to notify you if:
- The data was encrypted and the key was not compromised (no risk)
- The breach was contained quickly with no data accessed externally
- The breach did not involve personal data likely to cause harm
However, they are still required to notify the ICO in most cases — you can ask the ICO whether a specific organisation reported a breach.
What to Do When You Receive a Breach Notification
- 1Read what data was involved — email only is lower risk than passwords, payment details, or identity documents
- 2Follow the company's recommended steps — they may offer free credit monitoring or password reset tools
- 3Change your password on the affected service and on any other service where you used the same password
- 4Enable 2FA on the affected account
- 5Monitor your email and bank accounts for unusual activity over the next 30 days
See the full practical checklist at /protect-yourself-after-data-breach.
Check your security posture
Get a free Security Score and personalised checklist — takes 10 minutes.
Get your free Security ScoreYour Rights as a Victim of a Data Breach
Right to compensation
Under Article 82 of UK GDPR, you can claim compensation from the organisation for material damage (financial loss) or non-material damage (distress) caused by their breach of data protection law. You can pursue this through the courts or, after complaining to the ICO, via the ICO's enforcement process.
Subject Access Request (SAR)
You have the right to request a copy of all personal data the organisation holds about you, and confirmation of what was involved in the breach. They must respond within one month. This is free to submit.
Right to complain to the ICO
You can complain to the ICO at ico.org.uk/make-a-complaint if you believe the organisation:
- Failed to notify you when they should have
- Failed to take adequate security measures
- Mishandled your data in a way that contributed to the breach
How to Complain to the ICO
- 1First, raise a formal complaint directly with the organisation and give them time to respond (ICO typically expects 3 months)
- 2If unsatisfied, go to ico.org.uk/make-a-complaint
- 3Complete the online complaint form — include your SAR response (if you submitted one), any communication with the organisation, and details of any harm caused
- 4The ICO will investigate and can impose fines on organisations up to £17.5 million or 4% of global annual turnover for the most serious violations
Frequently Asked Questions
The company told me my data was involved in a breach two years ago. Is it too late to act?
No. The ICO complaint process has a time limit, but you can still take personal protective action. Change the password, check Have I Been Pwned, and monitor your credit file. If you suffered financial harm as a result of a breach, you may have up to 6 years to claim compensation through the courts under the Limitation Act 1980.
A company was breached and I wasn't notified. How do I find out if my data was involved?
Check haveibeenpwned.com — breaches are often reported there before official notifications go out. You can also submit a Subject Access Request to the company asking for confirmation of what data of yours they hold and whether it was involved in any security incident.
The ICO investigated the company but I still haven't received compensation. What can I do?
An ICO investigation can result in enforcement action against the company but does not automatically result in compensation for individuals. To claim compensation, you either negotiate directly with the company, or pursue a civil claim through the courts. Many data breach cases are handled by specialist law firms on a no-win, no-fee basis — search for "UK GDPR data breach solicitor."