GDPR Article 82: Compensation Claims In The UK

If your business handles personal data, GDPR Article 82 should be on your radar. It’s the provision that lets individuals claim compensation if your organisation breaches data protection rules and they suffer damage as a result.

Don’t stress - understanding what Article 82 covers, who can be liable, and how to reduce your risk will put you in a strong position. In this guide, we break it down in plain English and share practical steps so you’re protected from day one.

What Does GDPR Article 82 Mean For UK Businesses?

GDPR Article 82 (as retained in the UK GDPR and supported by the Data Protection Act 2018) gives individuals a right to compensation where they’ve suffered damage due to a breach of the UK GDPR. It’s separate from regulatory fines - those are imposed by the ICO. Article 82 is about private claims brought by people affected by a breach.

In simple terms, if your business fails to comply with data protection law and that failure causes someone loss or distress, they can ask for money. Claims often arise after security incidents (like misdirected emails, lost devices, or cyberattacks), but they can also flow from unlawful processing, excessive data collection, or ignoring someone’s data rights.

Key points to note:

• Compensation can cover both material damage (financial loss) and non-material damage (distress, anxiety, loss of control of data).
• Controllers and processors can both be liable (more on that below).
• This is civil liability - claimants don’t need an ICO decision to sue, and claims can proceed in the courts even without a fine.
• There are defences if you can show you weren’t responsible for the event that caused the damage.

Because Article 82 claims are about showing harm linked to a breach, the best risk management strategy is to prevent breaches and document how you comply. Policies, staff training, supplier contracts and an effective incident response plan all count as evidence that you took reasonable steps.

Who Can Be Liable Under Article 82?

Liability under Article 82 turns on your role in the processing activity and what went wrong. The UK GDPR distinguishes between controllers (who determine purposes and means of processing) and processors (who process on behalf of controllers).

Controllers

Controllers bear primary responsibility for compliance. If your business decides what personal data to collect and why, you’re likely a controller. If there’s a breach of the UK GDPR that causes damage, the controller can be sued for compensation.

Processors

Processors can also be liable where they breach specific UK GDPR obligations that apply to processors, or where they act outside or contrary to the controller’s instructions. For example, if a processor stores data in an unsecured environment against your express instructions, they may face claims alongside you.

Joint And Several Liability

Article 82 introduces joint and several liability for controllers and processors involved in the same processing activity. That means a claimant can recover the full amount from any one of the parties responsible, and those parties can then seek a “fair share” contribution from each other afterwards. In practice, if your business is the most solvent or the easiest to sue, you could end up paying, then pursuing recovery from others.

Defence: “Not Responsible For The Event”

There’s a statutory defence if you can prove you were not in any way responsible for the event that caused the damage. This is a high bar - it’s not enough to show you didn’t mean to cause harm. You’ll need evidence that you complied with the UK GDPR (for example, appropriate security measures, proper instructions to processors, and reasonable due diligence).

Why Contracts With Processors Matter

Because liability can be shared, good contracts with your suppliers are critical. A robust Data Processing Agreement should set out security requirements, breach notification timelines, audit rights, and indemnities so that if your processor causes the loss, you have a contractual route to recover contribution.

What Counts As “Damage” And What Will A Court Consider?

Article 82 allows compensation for “material or non-material damage”. UK courts recognise that someone can claim even without a direct financial loss - distress can be enough in principle. That said, the claimant still has to show a real breach and a causal link to their distress.

In assessing compensation, courts commonly look at:

• The sensitivity of the personal data (e.g. financial, health or special category data typically increases risk).
• The scale and duration of the breach (how many people were affected and for how long).
• How the breach occurred (e.g. human error vs. systemic failure vs. malicious attack).
• What steps you took before the breach (preventative measures, staff training, supplier management).
• How you responded (speed of detection, notification, mitigation, remediation and support to affected individuals).
• Any actual financial loss claimed (e.g. fraud or costs incurred) and evidence of distress (e.g. medical evidence for severe cases).

Practically, many low-level claims settle for modest sums where the incident is isolated, data is not especially sensitive, and the business can show strong compliance steps. Larger group claims or breaches involving sensitive data and prolonged exposure can be far more costly.

Getting the fundamentals right reduces both the likelihood of a breach and the size of any compensation. For example, having a clear, accurate Privacy Policy, minimising the data you collect, and implementing secure deletion practices aligned with your retention schedule can all help evidentially. You may also want to revisit your processes around data deletion, access requests and cookies to show a culture of compliance.

How To Reduce Your Article 82 Risk: A Practical Checklist

Here’s a step-by-step checklist we encourage small businesses to follow. Each action is designed to prevent breaches, or position you to defend claims if something goes wrong.

1) Map Your Data And Minimise What You Keep

• Identify what personal data you collect, where it’s stored, who can access it, and why you need it.
• Apply data minimisation: only collect what’s necessary for your stated purposes; avoid “just in case” data.
• Set clear retention periods and securely dispose of data you no longer need (and document the deletion).

2) Put The Right Policies And Notices In Place

• Publish a clear, accurate Privacy Policy that matches your actual practices.
• Ensure your cookie practices align with your Cookie Policy and obtain consent where required.
• Keep internal policies for data handling, incident response, access control, BYOD and retention up to date.

3) Strengthen Security And Access Controls

• Use multi-factor authentication, device encryption and role-based access control.
• Segregate particularly sensitive data and monitor access logs.
• Test backups and patch systems regularly; train staff to spot phishing.
• If you use cloud tools, reassess settings and vendor risk - for instance, check whether your setup is Google Drive GDPR compliant for your use case.

4) Lock Down Your Supplier Relationships

• Identify which vendors are processors and put in place a compliant Data Processing Agreement with each.
• Set security standards, audit rights, breach notification timelines and indemnities.
• Run due diligence before onboarding critical suppliers; keep records of your checks.

5) Be Ready For Data Rights Requests

• Set up a clear process for subject access requests (SARs), rectification and erasure.
• Train your team so you can meet SAR deadlines and verify identity appropriately.
• Have a playbook for handling erasure requests that considers legal bases and exemptions, alongside your data deletion schedule.

6) Run DPIAs For Higher-Risk Processing

• Where processing is likely to result in high risk (e.g. large-scale monitoring, special category data, or AI that could significantly affect individuals), conduct a data protection impact assessment (DPIA).
• Document risks, mitigations and decision-making - this documentation is vital evidence if a claim arises.

7) Train People And Test Your Incident Response

• Provide regular training - most incidents start with human error. Cover email hygiene, secure transfers, and recognising social engineering.
• Test your incident response plan. Practise how you’ll detect, triage, contain, investigate and notify.
• Align your plan with lawful timeframes for notifying the ICO and affected individuals (where required).

8) Keep An Eye On Emerging Tech And AI

• If you’re experimenting with generative AI, set policy guardrails and review privacy risks - see our guidance on ChatGPT and GDPR.
• Ensure staff don’t paste personal or confidential information into public tools without safeguards.

9) Document Everything

• Maintain records of processing activities, DPIAs, training logs, vendor due diligence, and incident response steps.
• If you ever need to rely on the “not responsible” defence, contemporaneous records will be essential.

How To Respond If Someone Seeks Compensation

If you receive a compensation request or a letter of claim referencing Article 82, don’t panic. Work through a structured response:

Step 1: Acknowledge And Preserve Evidence

• Acknowledge receipt without admitting liability.
• Preserve logs, emails, screenshots, backups and any relevant records - suspend routine deletion where needed.

Step 2: Notify Your Insurer

• Check whether your cyber, tech E&O or general liability policy requires immediate notification. Delays can prejudice cover.

Step 3: Investigate Causation And Scope

• Confirm whether a breach of the UK GDPR occurred and, if so, how and why.
• Identify the claimant’s data, what was affected, and for how long.
• If a supplier was involved, review your Data Processing Agreement and their incident report.

Step 4: Assess Liability And Any Defences

• Consider whether you were responsible for the event that caused the damage.
• Review your compliance posture: security measures, training, policies, and DPIAs - these can support a defence or reduce quantum.
• If multiple parties were involved, think about contribution and indemnity rights.

Step 5: Evaluate The Claim And Quantum

• Scrutinise the damage claimed (is there evidence of financial loss? How is distress evidenced?).
• Context matters: nature of data, sensitivity, promptness of your response, and mitigation offered (e.g. support lines, credit monitoring).
• Be wary of inflated, template-style claims that don’t tie distress to the specific incident.

Step 6: Decide Your Strategy

• Options typically include: a reasoned rebuttal, a commercial settlement without admission, or defending the claim.
• Where appropriate, you can propose practical remediation (e.g. data deletion confirmations, reassurance on security improvements) alongside any monetary offer.

Step 7: Strengthen Compliance Going Forward

• Use the incident as a learning opportunity: update policies, enhance training, adjust retention, and validate that your Cookie Policy and consent mechanisms reflect current practices.
• If the incident revealed issues with cloud configuration, review whether your setup remains Google Drive GDPR compliant for the data you store.

Finally, remember that individuals may raise related requests at the same time - for example, a subject access request or an erasure request. Make sure your team can handle those alongside any claim so you stay on top of SAR deadlines and lawful data deletion.

Key Takeaways

• GDPR Article 82 (in the UK GDPR) gives individuals a right to compensation for material and non‑material damage caused by a breach of data protection law.
• Controllers and processors can both be liable. Joint and several liability means a claimant can pursue the full amount from one party, who can then seek contribution.
• You have a potential defence if you can prove you weren’t responsible for the event that caused the damage - robust compliance evidence is key.
• Courts consider the sensitivity of data, scale and duration of the breach, your security measures, and how you responded when assessing compensation.
• Reduce risk with strong policies, a clear Privacy Policy, minimised data collection, secure vendor contracts (via a Data Processing Agreement), staff training, and a tested incident response plan.
• If you receive a claim, acknowledge it, preserve evidence, notify your insurer, investigate carefully, and choose a strategy grounded in the facts and your documentation.

If you’d like tailored help drafting documents or navigating an Article 82 claim, you can reach us at 0808 134 7754 or team@sprintlaw.co.uk for a free, no‑obligations chat.