The Farley v Paymaster 2025 Court of Appeal ruling removed the requirement to prove “serious” harm when claiming compensation for UK GDPR breaches. For anyone who has ever had a data removal request ignored or refused, this changes the financial calculation that has protected non-compliant organisations for years. I’ve spent years submitting erasure requests to brokers who stall, deflect, and rely on the fact that pursuing compensation was too difficult to be worth the effort. That defence is gone.
I covered what the ruling decided and its broader implications when it first landed. This piece is about something different: how to actually use it.
How Farley v Paymaster 2025 changed the cost of ignoring your rights
Before this ruling, the playbook for a resistant data controller was straightforward. Receive an Article 17 erasure request. Sit on it past the 30-day statutory deadline. If the individual escalates to the ICO, wait for the ICO to do nothing (which, statistically, is what happens in the majority of cases; roughly 3% of breach reports led to investigation in 2024/25). If the individual actually files a court claim, argue that any distress was not serious enough to warrant compensation.
That final step was the safety net. UK GDPR Article 82 grants the right to compensation for both material and non-material damage caused by data protection breaches. But lower courts had been applying a de minimis threshold, requiring claimants to demonstrate their distress crossed a minimum bar. For most people whose removal request was ignored by a data broker, proving “serious” distress from the continued holding of their personal data was a losing argument.
The Court of Appeal in Farley v Paymaster ruled that no threshold of seriousness is required. Actual access or misuse by third parties is not essential. The unlawful processing itself can ground a claim.
For anyone with compound exposure across multiple UK data brokers, each refused or ignored request now represents a potential compensation claim where the barrier to filing is a County Court fee starting at 35 pounds, not a legal argument about whether your distress was bad enough.
The escalation framework with real teeth
I’ve submitted hundreds of removal requests to UK brokers. The compliant ones (192.com, for example, where I’ve walked through the opt-out process more times than I can count) respond within days. The difficult ones (Tracesmart, now owned by LexisNexis, or platforms like Glassdoor) either ignore the request entirely or claim an exemption that does not apply.
Before Farley v Paymaster, my escalation options for a client whose request was refused were limited in practice. An ICO complaint is free but slow. Even when the ICO acts, it cannot award compensation to the individual. You could file a court claim under DPA 2018 s.168, but the seriousness threshold meant you needed evidence of genuine harm beyond the fact that your data was still sitting on a platform it should have been removed from.
Now the full escalation path looks like this:
- Direct request citing UK GDPR Article 17 to the controller’s DPO (Day 1, with a 30-day statutory deadline)
- Written follow-up if no response (Day 31)
- ICO complaint at ico.org.uk
- Financial Ombudsman where applicable (CRAs, insurers, lenders; free and binding on the firm)
- Court order under DPA 2018 s.167 (County Court, fees from 35 pounds)
- Compensation claim under UK GDPR Article 82
Step 6 is where Farley v Paymaster matters most. The claim no longer requires you to prove that continued holding of your data caused serious psychological harm. The breach of your GDPR rights is itself sufficient to ground a claim for non-material damages. Most organisations comply at Step 1 or 2. But for the ones that resist, knowing you can pursue compensation without proving serious harm is a genuine lever.
The County Court Small Claims Track in practice
Most data protection compensation claims for individuals go through the County Court Small Claims Track. Claims up to 10,000 pounds. Fees start at 35 pounds for claims up to 300 pounds. You do not need a solicitor, though having one helps if the controller sends a legal team.
The process is more accessible than most people assume. You issue a claim via Money Claims Online, set out the breach (the controller failed to respond to a valid Article 17 request within the statutory deadline), reference Farley v Paymaster to establish that no seriousness threshold applies, and quantify your claim.
Quantification is where it gets interesting. There is no fixed tariff for non-material damage in data protection cases. Courts have awarded anywhere from a few hundred pounds to several thousand, depending on the circumstances. Courts now ask what the appropriate amount of compensation is for the breach, rather than debating whether the harm was serious enough to warrant any compensation at all. That is a fundamentally different conversation for the controller’s legal team to prepare for.
For someone with significant digital footprint exposure across multiple controllers, each non-compliant response is a separate potential claim. The numbers compound quickly, and the cost of defending multiple small claims far exceeds the cost of simply complying with the erasure request in the first place.
Which organisations should be paying attention
The controllers I see resisting valid erasure requests most often are the ones this ruling hits hardest.
LexisNexis and GBG hold current address data on most UK adults and resist suppression aggressively. They claim legitimate interests under AML regulations, which is valid for their regulated clients. But when an individual with no connection to an AML investigation requests erasure, the legitimate interest argument is weaker than they present it. I’ve secured suppression from LexisNexis, but it took eight or nine emails and a specific argument demonstrating heightened risk due to my occupation. Post-Farley, the threat of a compensation claim for the period they failed to act adds genuine financial pressure.
Tracesmart, now a trading name of LexisNexis Risk Solutions, has been described on consumer forums as “not very helpful” with removal requests. That reputation becomes more expensive to maintain when every ignored request is a potential claim without a seriousness threshold.
Glassdoor takes 30 days to process account deletion and has been resistant to removing third-party content. For executives whose professional reputation is directly tied to their digital exposure, Glassdoor’s slow compliance is more than an inconvenience. It is now a quantifiable breach with financial consequences.
Genealogy platforms like FamilySearch (which claims religious and archival exemptions under GDPR Article 89) and Ancestry are also in a different position. The exemptions may be valid, but the burden of proving they apply sits with the controller, not the data subject. If they cannot substantiate the exemption, the processing is unlawful and compensation follows.
The organisations that comply promptly (most UK people-search sites, the caller ID apps, the marketing list brokers) are largely unaffected. They were already doing the right thing.
Why this ruling matters more than the DUAA 2025
I’ll state this plainly: Farley v Paymaster has done more for individual data protection enforcement in the UK than the entire Data Use and Access Act 2025.
The DUAA received Royal Assent on 19 June 2025 and introduced changes to DSAR handling, automated decision-making, and ICO governance. It increased PECR marketing breach fines to 17.5 million pounds or 4% global turnover. But it created no data broker registration regime. It introduced no specific rules targeting people-search sites. Linklaters described it as “a shift in approach aiming to balance privacy rights with innovation.” Womble Bond Dickinson called the changes “minor relaxations of data protection requirements.”
Meanwhile, a single Court of Appeal ruling removed the barrier that made individual enforcement impractical.
The DUAA gives the ICO more power. Farley v Paymaster gives individuals more power. In my experience, individuals with skin in the game are more motivated enforcers than an underfunded regulator processing thousands of complaints. The ICO issued 62 enforcement actions in 2024, totalling roughly 2.7 million pounds across the entire UK data protection ecosystem. There has been no enforcement action against a UK people-search or data-lookup website as of early 2026. If the regulator is not going to act against these sites, empowering individuals to act for themselves is the next best outcome.
What this ruling does not fix
Farley v Paymaster strengthens your position when a controller refuses a valid request. It does not help when the processing is lawful.
Credit reference agencies process credit data under legitimate interest, and the jointly published CRAIN provides a framework the ICO has broadly accepted. You cannot use this ruling to claim compensation against Experian for holding your credit file, because that processing has a lawful basis.
Similarly, Companies House publishes director information under statutory obligation. Professional registers (GMC, SRA, FCA Register) are legally required to maintain their records. Court filings on BAILII are published under the administration of justice. None of these are candidates for compensation claims.
The ruling matters for the grey zone: controllers who lack a clear lawful basis for continued processing after you have objected, or who simply fail to respond within the statutory deadline. That grey zone covers a significant number of UK data brokers, marketing data companies, and people-search sites. I’ve covered which of your GDPR rights apply to different types of controller in a separate piece.
Practical steps for high-exposure individuals
If you are a director, executive, public figure, or anyone whose personal data creates compound risk when aggregated, Farley v Paymaster changes several things in practice.
Document everything. Every erasure request you send, every response (or non-response) you receive, every deadline that passes. If you later pursue compensation, the paper trail is your evidence. Timestamp your requests. Use email rather than web forms where possible, so you have a record.
Do not threaten compensation in your initial request. Send a clean Article 17 erasure request citing the specific lawful ground. Give the controller 30 days. If they fail to respond or refuse without valid justification, send a follow-up noting that you intend to escalate. The compensation claim is the final step, not the opening move.
Understand that the threat often achieves compliance without filing. Most data removal services send template requests that controllers can ignore at low cost. A request from someone who clearly understands the post-Farley enforcement position, and who can articulate that they will pursue compensation for non-material damage without needing to prove serious harm, is a fundamentally different communication. Controllers and their legal teams know this.
Get a proper assessment before you start sending requests. If you do not know where your data sits, you cannot enforce your rights against the controllers who hold it. I’ve mapped hundreds of digital footprints, and the pattern is always the same: people underestimate their exposure by a factor of ten. Sending erasure requests to three or four visible brokers while ignoring the dozens of invisible ones is wasted effort.
If you want to understand your specific exposure before taking enforcement action, get in touch.
