Data Protection & UK GDPR

Misuse of your data or a data protection breach can lead to embarrassment and costly problems. KhanMather can help by assisting you with your issue and claiming compensation for the distress caused.

For the Consumer

What is your personal data?

This can be your private contact information, login details, passwords, bank account or payment details or medical information. If you would like more information on the definition of ‘personal data’ please click on the link to the Information Commissioner’s Office website.

Data made available publicly?

Have you suffered damage or distress as a result of your sensitive information being lost, misused or hacked?

Cybercrime and hacking is on the rise and those organisations who hold your personal information (also known as ‘Data Controllers’) are obliged to protect it under the data protection laws. If they however fail to do so and you suffer damage or distress as a result, we can assist you in claiming the compensation that you may be entitled to claim.


If your private contact information were obtained by hackers in a cyber-attack and the data controller had failed to take reasonable security measures to protect this data, it is likely that you may have suffered distress. This could have been from the worry and stress of being the victim of an identity fraud or from having to switch bank accounts and then take remedial measures.

In a severe case you may have actually become the victim of an identity fraud and lost money.

What is distress?

Distress can be described as ‘extreme anxiety, sorrow or pain’.

This could also be caused if your sensitive personal data was inadvertently disclosed online, for example by a vulnerability in the data controller’s website being exploited. This may be information that you would not want to be publicly available, because it is private or highly sensitive and the fact that it has been made public may cause you to suffer psychologically.

Please note that medical evidence is not required to prove distress and/or anxiety but if you are greatly affected by the breach then we would strongly recommend that a report be obtained from a Psychiatrist.

Your legal rights

Under the previous Data Protection Act 1998, as well as under the UK General Data Protection Regulation (UK GDPR), a new law that came into force in May 2018 and was then subsequently amended following Brexit in 2021, individuals have a number of rights, which we can advise upon. They include the right to obtain a copy of the personal information that data controllers hold about them. This is known as a Subject Access Request (aka ‘SAR’).

How much compensation will I receive?

This is not an easy question to answer as each case is fact specific but as a rough guide, the following amounts can be used as a starting point:

Medical Information – £5,000

Financial Information – £3,000

Minor breach – £750

Data not provided?

In many cases, data controllers fail to have full regard to these rights and refuse to provide the data that individuals are legally entitled to. We can help because we have experience of successfully applying to the court for an order to make them provide the appropriate information to you plus we may be able to obtain an award of damages for the stress and anxiety caused.


We are able to offer our litigation services on either a privately paying basis or conditional fee basis depending on the facts of the case and our initial view on the prospects of success.

Please note that our hourly rates for data litigation start at £175.00 plus VAT which are in accordance with the SCCO’s Guidelines Hourly Rates for this complex area of law and we may also be able to offer a fixed fee arrangement which would be dependent on when the matter would eventually settle.


All businesses, no matter what their size or sector, will need to review their data protection compliance sooner rather than later in order to comply with the General Data Protection Regulation (GDPR) and the replacement Data Protection Act, which came into force in May 2018, modernising our data protection law and providing the regulator, the Information Commissioner’s Office (ICO), enhanced and strengthened enforcement powers.

Previously the ICO had the power to fine businesses and organisations with a Civil Monetary Penalty (CMP) of up to £500,000 for breaches of the Data Protection Act 1998, which had the likelihood to cause substantial damage or distress. Under GDPR those limits are much higher, up to a maximum of £17 million or 4% of turnover in worse case scenarios, with fines only a part of a range of sanctions for non-compliance including corrective orders, reprimands and warnings.

Data subjects also now have the benefit of a wider range of rights under the GDPR, such as data portability, rights to restrict processing and the right to be forgotten, as well as more familiar rights like claiming compensation for distress following a data breach, for example.

There has never been a better time for businesses to review existing data protection policies and procedures to get as ready for the new regulatory landscape as they can be.

We can assist businesses and organisations by advising on the various obligations that are placed upon them, currently and in the future regime, which include:

  • Advice on policies and procedures, such as reviewing privacy notices and procedures for dealing with data subjects rights, and how these may need to be updated for GDPR
  • How to respond to Subject Access Requests and what to do if litigation is threatened – we have experience of dealing with contested and litigated SARs
  • Advice on how to respond to data subjects’ complaints including dealing with claims for compensation for damage or distress
  • Advice if the business suffers a security or other data protection breach – the requirement of self-reporting the incident to the ICO and advice during any subsequent ICO investigation and potential enforcement action, which might include the issuing of a Civil Monetary Penalty (CMP)
  • Advice regarding appealing any of the formal notices issued by the ICO to the Information Rights Tribunal


Please call us on 0161 850 9911 and we will happily answer your questions.

How can we help you?

Contact us or call us on 0161 850 9911

Accreditations and awards

Conveyancing Quality
Legal 500 Leading Firm 2020
Legal 500 Recommended Lawyer 2020
Khan Mather Conveyancing Award
Khan Mather Personal Injury Award
Legal 500 Leading Firm 2020
Legal 500 Recommended Lawyer 2020

Prefer to speak to someone? Call us on 0161 850 9911

'KhanMather Solicitors' is a trading name of 'Khan Mather Limited'
Khan Mather Limited is a company registered in England & Wales (Registration No: 08469005) which is regulated and authorised by the Solicitors Regulation Authority (No: 623820).
VAT No: 221 8226 37. Registered office at Second Floor, 19-23 Stamford New Road, Altrincham WA14 1BN
© Copyright 2024 Khan Mather Limited