In what circumstances is an organisation required to pay compensation to individuals under data protection law? It’s widely understood that a technical contravention of the GDPR does not automatically give rise to a right to claim damages. There must be evidence that an individual has suffered harm. What evidence is necessary to show that a GDPR contravention has taken place and that harm has occurred? Is anxiety over potential data misuse sufficient and, if yes, what level of anxiety needs to be experienced to give rise to a right to compensation?

Past UK case law demonstrates that successfully claiming compensation for data protection law contraventions is not easy and that amounts awarded for compensation by the courts tend to be low. In Farley v Paymaster (1836) Limited [2025] EWCA Civ 1117(1) published on 22 August 2025, the Court of Appeal was asked to consider an appeal from an order striking out individual claims in a collective action which arose due to a data security breach. The High Court had already considered the facts as they applied to over 400 individuals and decided that only 14 could show an arguable case. The appellants before the Court of Appeal were an additional 432 individuals who considered they should be able to claim compensation.