[6] Data related collective actions can generally be divided into two broad categories: (i) “unauthorized use of personal data” cases, where the firm controlling personal data allegedly uses it in an unauthorized manner; and (ii) “unauthorized access to personal data” cases where a third party (e.g. hackers) improperly accesses private data for malicious reasons. This article discusses some of the key legal and economic issues that arise in matters involving the unauthorized use of, or unauthorised access to, personal data in the UK. [7] Data Protection Laws in the UK “Personal data” can refer to diverse information types. The EU’s General Data Protection Regulation (GDPR), which was implemented in the UK and supplemented by the UK Data Protection Act of 2018 (DPA 2018),