We live in a world where personal data is constantly in motion. While technology evolves, so do our rights.
Data protection law in England and Wales gives individuals robust tools to hold data controllers and processors accountable—and to seek compensation when things go wrong.
Whether your data was leaked, misused, or shared without your consent, remember you have the right to be informed, to be respected, and to be compensated.
Data protection litigation is growing in England and Wales, with claims emerging not just from large-scale cyberattacks but also from more common issues such as:
Where a real harm is shown, courts are prepared to award meaningful damages.
“Thank you so much for all of your hard work, and also for your support. It’s been a really tough experience, but your explanations and contextualising of a lot of the processes have really helped."
The law states that organisations, and in certain circumstances individuals, have duties under data protection legislation.
Your data must be processed lawfully, fairly and in a transparent manner. What does it mean in practice?
You must be informed of the collection and its purposes. Those purposes must be specified and legitimate. Furthermore, the data collection must be proportionate to achieve the purpose and must be fair.
The duties include handling your data in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
Whether or not the failure to comply with those duties is intentional, the consequences can be devastating and give rise to a legal action for compensation.
If your personal information is mishandled in such a way, you may be able to claim for breach of the General Data Protection Regulation (GDPR) or Data Protection Act 2018, and/or misuse of private information, breach of confidence and or breach of your human rights.
Under Article 82 of the UK GDPR, you have the right to claim compensation if you’ve suffered damage as a result of a data protection breach. This includes:
You do not need to show that the organisation intended to cause harm.
We suggest the following course of action:
If your rights have been violated, you may wish to consult our team. You may bring a claim for compensation in the civil courts.
Our team will talk to you about your case to identify what you would like to achieve and provide you with guidance on the matter.
It is important that you work with a specialist, so once your claim has been assessed, we’ll allocate the solicitor best suited to your specific situation.
Our lawyers will work tirelessly to get you the outcome you deserve. They’ll also explain the process to you and keep you up to date throughout the matter so you know where you stand.
The GDPR and Data Protection Act 2018 provides a legal framework for the collection, use, storage and dissemination of your data. This legislation is there to protect your information and give you greater transparency over its use.
Under the GDPR and Data Protection Act 2018, there are two types of data:
Information relating to criminal convictions and offences or related security measures has its own separate special category and has specific regulations on how it is processed.
The GDPR and Data Protection Act 2018 place greater obligations on how data control and processing of personal information is in line with your legal rights. The incorrect use or unauthorised disclosure of this information can cause distress and losses and often urgent action is needed.
Furthermore, the duties under the data protection legislation also include protecting your information against accidental loss, destruction or damage to your personal data.
The unauthorised disclosure of your information and/or storage of inaccurate information can have financial and reputational repercussions.
Our specialist solicitors can advise you on the best way to make a data protection claim.
In some cases, organisations may suffer a data leak where information relating to multiple individuals is either hacked or disclosed intentionally or accidentally. Our team represent both individuals and groups in actions against offending organisations. A group action can be beneficial to obtain resolution and compensation, especially where a group of people is affected by the same organisation.
We are also able to make group representations in relation to requests for official information, made under the Freedom of Information Act and or the Environmental Information Regulations, which allows members of the public to request access to information held by public authorities.
Separate from data protection, English law also recognises the tort of misuse of private information. This common law right protects against the unauthorised use or disclosure of personal information that a reasonable person would expect to remain private.
Misuse of private information is a relatively modern tort in English law, developed primarily through the courts. It protects individuals against the unauthorised disclosure or use of information in which they have a reasonable expectation of privacy.
Examples include:
As listed above, although the “misuse” in these claims is typically the unauthorised disclosure (including the wrongful publication) of private information, it can also include the accessing of such information. However, you may not have a reasonable “expectation of privacy” if the disclosed information is already in the public domain (i.e. available on the internet) or if the publication of the information is in the public’s interest.
Information is usually both private and confidential and breach of privacy claims are often brought in both misuse of private information and breach of confidence.
Further, in practice, this tort often overlaps with data protection and breach of confidence, but it remains a distinct cause of action.
If a public body has breached your privacy, you’ll also be protected by the Human Rights Act 1998 under Article 8 of the European Convention of Human Rights – the right to respect for an individual’s private and family life, his or her home and correspondence.
The law on Breach of Confidence has developed in case law over many years. In order to establish breach of confidence you’ll need to show that the information has the necessary quality of confidence (i.e. medical records, trade secrets or financial information), the information was communicated in a manner which imposed an obligation of confidence (i.e. doctor to patient or employer to employee) and that there has been an unauthorised use of the information that has caused you detriment.
The misuse of private information can be deeply harmful, but the law in England and Wales offers robust mechanisms for protection and redress. Whether you’re a public figure or a private individual, your privacy matters — and there are legal avenues to defend it.
If you believe your private information has been misused, we suggest you seek legal advice promptly, especially since some claims (e.g., defamation) have short limitation periods. While no remedy can fully undo the damage of a privacy breach, legal action can help you regain control, secure compensation, and prevent further harm.
"Brilliant company. Very reliable and trust worthy. If ever needed would highly recommend!"
If the breach caused financial loss or emotional distress, you can file a claim in court for compensation under:
Our specialist solicitors can help you to claim compensation from both individuals and organisations who breach data protection rules.
We can also bring challenges under the Human Rights 1998 if we can show that your right to private and family life has been breached.
If you believe your information regarding your personal details have been shared without your consent, our specialist team are available to provide initial and confidential advice. Provided you can prove that you have suffered distress and or financial loss as a result of the data breach, we can claim compensation from those who breach the law on privacy.
Our specialist team of solicitors have a proven track record and have succeeded in obtaining compensation for victims of data and privacy breaches in a number of complex claims in this developing area of law.
We understand the impact and inconvenience data breaches can have. Our solicitors will not just advise on the best and most-effective strategy, but also provide assistance and support to all of our clients.
"Excellent lawyers. Very supportive and sympathetic and caring. Always available if you are unsure about anything to talk you through your queries."
We’ll always explore all possible ways of funding your case. Your lawyer will be able to explain your options in greater detail at your initial meeting and, if appropriate, during the running of your case.
Firstly, you should check whether you’re covered by legal expenses insurance (also known as before-the-event insurance). This type of insurance is normally to be found on household or motor insurance policies, but you should check all your insurance policies, premium bank accounts and credit cards as these can sometimes provide it too. If you are covered, then you should notify the insurance provider straight away.
For privately paying clients we charge for work based on time spent on a case. At the outset of a case you’ll be provided with details of your lawyers’ charging rates and estimates of time and costs throughout the duration of your case for each specific stage of work.
In some cases, we may instead be able to act on a conditional fee agreement basis (“CFA”). Before agreeing to fund your case with a CFA, we’ll have to assess your case carefully. If we agree to act under a CFA and you win your case, a percentage deduction will be taken from any compensation you receive.
Yes, you will have to prove you have suffered financial loss and/or distress.
In such cases it may be possible to stop the behaviour of the harassing third-party with a formal letter known as a “cease and desist letter”. If this doesn’t stop the harassing behaviour it may be necessary to issue proceedings under the Protection from Harassment Act 1997 and obtain a harassment injunction. This is an injunction that orders them to stop their harassing behaviour. If they don’t stop, legal action for contempt of court can be brought against them.
Potential defences to claims for breach of privacy may include:
There is no definitive authority; however, the general consensus is that claims for breach of privacy including data breaches should be brought within six years. This means that breaches within the last six years are potentially eligible.
Claims for human right breaches have to be brought within one year.
Businesses, organisations and the government.
Various types of personal information could be held by organisations. For example:
Our specialist data protection lawyers offer a variety of funding options for breach of privacy claims:
The DPA is a set of UK legislative principles which organisations, businesses and the government must abide by. It sets out how your personal information can be used.
Personal information must be:
