GDPR Article 82: Compensation Claims And Business Liability For Breaches

Getting a data breach “under control” isn’t just about IT.

If personal data is lost, hacked, sent to the wrong person, or accessed without permission, there’s a legal and financial angle that can hit small businesses hard: compensation.

This is where GDPR Article 82 (often searched as Article 82 GDPR or GDPR Article 82) comes in. It’s the rule that gives individuals the right to claim compensation where they’ve suffered damage because of a breach of data protection law.

For business owners, understanding Article 82 is less about memorising the legislation and more about knowing:

• when a compensation claim can arise,
• what types of losses can be claimed,
• who is legally responsible (especially if you use third-party suppliers), and
• how to reduce the risk of paying compensation in the first place.

Let’s break it down in plain English.

What Is Article 82 GDPR (And Why Should Small Businesses Care)?

Article 82 UK GDPR is the provision that creates a right to compensation where someone suffers damage due to an infringement of the GDPR.

In practical terms, it means that if your business fails to comply with the UK GDPR (and the Data Protection Act 2018) and that failure causes someone damage, they may be able to claim money from you.

Article 82 In Plain English

Article 82 says (in effect):

• Individuals can claim compensation for material damage (financial losses) and non-material damage (such as distress).
• Businesses can be liable if they are a controller (deciding how/why personal data is processed) or a processor (processing on behalf of someone else), depending on what went wrong and the role each party played.
• Multiple parties can be “on the hook” at once in some cases (called joint and several liability), meaning a claimant may pursue whichever party is most able to pay.

This matters for small businesses because a “breach” doesn’t have to be a major cyberattack to trigger risk. It can be as simple as sending a spreadsheet of customer details to the wrong email address or losing an unencrypted laptop.

Does Article 82 Apply In The UK?

Yes. The UK has retained a version of the GDPR (the UK GDPR) alongside the Data Protection Act 2018. Article 82 still forms part of the UK framework and is a core piece of how compensation claims work after a breach.

It sits alongside other risks, such as:

• ICO investigations and regulatory enforcement, and
• contractual claims (for example, where a supplier’s breach triggers losses across your supply chain).

When Can Someone Bring An Article 82 GDPR Compensation Claim Against Your Business?

To understand your risk under Article 82 GDPR, it helps to think in terms of a basic “ingredients list”. While each case turns on its facts, a claimant generally needs to show:

• There was an infringement of the UK GDPR (for example, you lacked appropriate security, transparency, or a lawful basis).
• They suffered damage (material or non-material).
• A causal link between the infringement and the damage (the breach must actually have caused the loss/distress complained of).

Not Every Data Incident Automatically Equals Compensation

It’s easy to assume that any breach means automatic payouts. In reality, claimants must still show they experienced damage, and there needs to be a meaningful connection to what your business did wrong.

However, don’t underestimate “smaller” incidents. The most common real-world causes of claims often involve:

• human error (misdirected emails, incorrect attachments, poor access controls),
• weak internal processes (no training, no clear permissions, poor retention rules), and
• supplier failures (cloud systems, marketing platforms, outsourced IT providers).

Controller Vs Processor: Who Is Liable?

Liability under Article 82 depends on role and fault:

• Controllers are typically the main decision-makers and are often the first target for claims.
• Processors can be liable where they have not complied with processor obligations or acted outside lawful instructions.

If you’re using suppliers to process personal data (for example, payroll providers, CRMs, email marketing tools, hosted support desks), you should have the right paperwork in place. A well-drafted Data Processing Agreement is often a key starting point for allocating responsibilities and setting minimum security expectations.

Can You Be Liable For A Supplier’s Mistake?

Potentially, yes.

Even if the breach starts with a supplier, you might still be exposed if you didn’t carry out appropriate due diligence, didn’t put the right contract terms in place, or didn’t set/monitor appropriate security standards.

This is why GDPR compliance isn’t just a “tick box” exercise. It’s risk management for your customer relationships, reputation, and finances.

What Types Of “Damage” Can Be Claimed Under GDPR Article 82?

Article 82 allows claims for both:

• Material damage (financial loss), and
• Non-material damage (distress and similar harm).

For small businesses, the non-material side is often what catches people off guard. You can do everything possible to refund a customer or fix a mistake, but if someone can show the incident caused genuine distress, that can still form the basis of a claim.

Material Damage (Financial Loss)

This might include things like:

• direct financial losses from fraud (where bank details or ID documents were exposed),
• costs of credit monitoring or protective steps,
• lost earnings (in some scenarios), or
• other measurable expenses caused by the infringement.

Non-Material Damage (Distress, Anxiety, Loss Of Control)

This can include:

• stress or anxiety (for example, after a cyberattack exposes contact details or sensitive information),
• embarrassment or reputational harm (for example, if special category data is leaked), and
• in some cases, a sense of losing control over one’s personal information (the availability of this head of loss can be fact-specific).

From a business perspective, the takeaway is simple: you should treat distress as a real head of loss, especially where the breach involves sensitive data (health information, children’s data, financial details, or anything that could cause heightened harm if misused).

What If You Didn’t Intend Any Harm?

Intention isn’t usually the point. Under the UK GDPR, the focus is on whether you met the required standard of compliance (including appropriate security and accountability measures) and whether the individual suffered damage because of the infringement.

That’s why strong internal governance is so important. Policies and training won’t guarantee you never have an incident, but they can help show you took reasonable steps, and they reduce the likelihood of preventable breaches.

For many businesses, putting an Acceptable Use Policy in place is a practical way to set rules on passwords, devices, access rights, and how your team handles personal data day-to-day.

How Much Compensation Could Your Business Pay Under Article 82 GDPR?

There’s no fixed “GDPR compensation amount” in Article 82. The level of compensation depends on the facts, such as:

• the nature of the personal data involved (basic contact details vs sensitive/special category data),
• the severity and duration of the impact,
• how many people were affected,
• whether there’s evidence of financial loss, and
• how your business responded (including whether you acted quickly and transparently).

Single Claims Vs Group Claims

A single claim can be manageable. The bigger commercial risk for many small businesses is volume.

If a breach affects hundreds or thousands of customers (for example, a hacked mailing list or exposed customer portal), even “modest” compensation per person can add up quickly when multiplied across a large group.

Compensation Is Separate From ICO Fines

It’s worth separating two different types of exposure:

• Regulatory action (for example, an ICO enforcement notice or fine) focuses on compliance and public interest.
• Compensation claims focus on the harm suffered by individuals.

You could face one without the other, or both at once. Either way, the best time to reduce this risk is before an incident happens.

How Can You Reduce Your Liability Under Article 82 GDPR If A Breach Happens?

Most small businesses aren’t trying to ignore privacy law. The challenge is that data protection compliance can feel like a moving target, especially when you’re juggling sales, staff, suppliers, and operations.

The good news is there are practical steps you can take to reduce your exposure under Article 82, even if something goes wrong.

1. Know What Personal Data You Hold (And Why You Hold It)

Start with the basics:

• What personal data do you collect (customers, leads, employees, suppliers)?
• Where is it stored (devices, cloud apps, paper files)?
• Who has access to it?
• How long do you keep it?

This is often where hidden risks live, especially in businesses that have grown quickly and added new tools over time.

2. Put The Right Privacy Information In Front Of Customers

Transparency is a core GDPR principle. If you collect personal data through your website, online booking system, e-commerce store, or email marketing, your privacy information should be clear, accurate, and tailored to your business.

A properly drafted Privacy Policy helps set expectations, supports compliance, and can reduce misunderstandings when an incident happens (for example, by clearly describing your processing activities and contact points).

3. Get Your Supplier Contracts Right (Especially For Data Processors)

If suppliers process personal data for you, you should have GDPR-compliant terms covering areas like:

• security obligations,
• sub-processing restrictions,
• breach notification timeframes,
• audit rights, and
• data deletion/return when the relationship ends.

This is where a Data Processing Agreement can be crucial.

And if you’re collecting data through third-party website tools, cookies, or analytics, don’t forget the “front end” compliance side. Many businesses tie this into their website terms as well, using documents like Cookie Policy wording that actually reflects what’s running on their site.

4. Have A Plan For When Things Go Wrong

When a breach happens, speed and process matter.

If you scramble, miss reporting deadlines, or communicate inconsistently, you can end up compounding the damage (both to the individual and to your business position).

A documented Data Breach Response Plan helps your team know who does what, when to escalate, and how to preserve evidence and limit harm quickly.

5. Train Staff And Set Practical Rules (Because Human Error Is Common)

Many “breaches” are preventable with simple internal habits, such as:

• double-checking recipients before sending personal data,
• using BCC for group emails,
• restricting admin access to those who genuinely need it,
• encrypting devices and using multi-factor authentication, and
• keeping personal data out of shared inboxes unless properly controlled.

Policies matter too, especially if you ever need to show what your organisation required staff to do. For many businesses, an Acceptable Use Policy is a practical way to set clear, enforceable standards for workplace tech and data handling.

6. Treat GDPR As Part Of Your “Legal Foundations” (Not A One-Off Document)

It can be tempting to download a template, upload it to your website, and move on.

But GDPR compliance is ongoing. It changes when your business changes-for example, when you:

• hire your first employees,
• start collecting health or dietary information (even informally),
• expand into a new market,
• add new marketing tools, or
• introduce new products that involve personalisation or profiling.

For many growing businesses, it’s worth putting a structured compliance approach in place, such as a tailored GDPR Package, so you’re not piecing together documents and decisions reactively after an incident occurs.

Key Takeaways

• Article 82 GDPR gives individuals the right to claim compensation where they suffer material damage (financial loss) or non-material damage (such as distress) due to a GDPR infringement.
• Small businesses can face real compensation exposure even for “everyday” data incidents like misdirected emails, weak access controls, or lost devices.
• Liability can extend beyond your business if suppliers are involved, but you still need to manage your controller obligations and have a compliant processor contract in place.
• Compensation claims are separate from ICO fines, and you may face one without the other (or both).
• You can reduce risk by tightening your privacy governance: keep clear records of what data you hold, use a tailored Privacy Policy, put strong supplier terms in place, train staff, and follow a Data Breach Response Plan.
• This article is general information only and not legal advice. If you’re unsure where your biggest risk sits, it’s worth getting tailored advice early-being “protected from day one” is much cheaper than fixing problems later.

If you’d like help reviewing your GDPR compliance or getting the right documents in place to reduce your exposure under Article 82, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.