Data Protection — No Win No Fee

What Are the UK GDPR and Data Protection Act 2018?

Direct Answer: The UK GDPR and DPA 2018 give individuals the right to claim compensation for data breaches causing material damage or distress. Claims can be brought on a no win no fee CFA basis. Since Vidal-Hall v Google, damages for distress alone (without financial loss) are recoverable.

The UK General Data Protection Regulation (UK GDPR) — the retained EU version of the GDPR — and the Data Protection Act 2018 form the UK's data protection framework. Article 82 of the UK GDPR provides that any person who has suffered material or non-material damage as a result of an infringement has the right to receive compensation from the controller or processor.

Common Data Protection Claims

• Data breaches — cyberattacks, hacking, accidental data exposure
• Unlawful data sharing — sharing personal data without consent or lawful basis
• Subject access request failures — failure to respond to SARs within the statutory timeframe
• Inaccurate data — failure to correct or erase inaccurate personal data
• Excessive data collection — collecting data beyond what is necessary
• Unsolicited marketing — breaches of PECR (Privacy and Electronic Communications Regulations)

The Role of the ICO

The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection. The ICO can investigate complaints, issue enforcement notices, and impose fines of up to £17.5 million or 4% of annual global turnover. However, the ICO cannot award compensation to individuals — this requires separate court proceedings.

Group Litigation

Large-scale data breaches affecting thousands or millions of people are increasingly pursued through group litigation orders (GLOs) or representative actions. Notable examples include claims arising from the British Airways data breach (2018), the Marriott Hotels breach, and various NHS data incidents.