We've been featured in:

  • bbc logo
  • daily mail logo
  • itv logo
  • skynews logo

My Employer Has Breached GDPR, Can I Make A Claim?

By Danielle Jordan. Last Updated 28th April 2025. This guide explains when you may be entitled to compensation because your employer has breached the UK GDPR. Personal data is any information that can be used to identify someone, and the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation, known as UK GDPR, are laws that set out what steps a business – including your employer – must take to secure it.

A data breach is a security incident in which the availability, confidentiality, or integrity of your personal data is compromised. This could happen if your workplace is the deliberate target of a phishing attack, or if your employer fails to take reasonable care of your personal data.

A woman pointing to the words data breach floating in the centre of a screen.

While this can be distressing, there is help at hand. Read on for more information about how a breach could come about, how much compensation you may be entitled to and how our expert solicitors can help.

If you think you have a claim, give us a call at 0800 073 8804 or fill out our contact us form and one of our experts will get right back to you.

Select A Section

  1. How Could Your Employer Have Breached The UK GDPR?
  2. What Data Could Employers Handle?
  3. When Can You Claim After Your Employer Has Breached The UK GDPR?
  4. How Should Employers Protect Employees’ Data?
  5. What Happens If Your Employer Has Breached The UK GDPR?
  6. How Much Could You Claim If An Employer Has Breached The UK GDPR?
  7. No Win No Fee Data Breach Claims

How Could Your Employer Have Breached The UK GDPR?

The UK GDPR and the Data Protection Act 2018 set out how the personal data of UK residents is to be protected and handled by data controllers and data processors.  A data controller determines why personal data is to be processed as well as how to process it. The controller may instruct a data processor to process personal data on their behalf. Your employer may play both roles. 

Should your employer fail to protect your personal data and a breach of the UK GDPR at work occurs, you could be eligible for compensation.   

However, you must satisfy the data breach compensation eligibility criteria as set out in Article 82 of the UK GDPR. This means that you must have evidence that proves:

  • The breach happened as a result of the data controller or processor failing to comply with the data protection legislation.
  • Your personal data must have been compromised in the breach.
  • Due to this compromise in your personal data, you suffered emotional and/or financial harm.

In addition to meeting the above criteria, you must start your case within the data breach claims time limit. This is typically 6 years. However, if your claim is against a public body, this is reduced to 1 year. 

Speak to one of the advisors from our team to discuss what potential steps you could take if the UK GDPR is breached and you suffer harm as a result.

What Data Could Employers Handle?

Our employers hold personal information that is protected by the UK GDPR. Personal data or personal information is information that can be used to identify you, whether indirectly or directly.

Personal data includes your name, address, date of birth, sex and National Insurance number. It also covers information relating to your work history, such as your disciplinary records, your pay, any training you’ve been given and any accidents you might have had while at work.

Personal data that’s considered sensitive, however, it requires more protection. Sensitive data includes your race, ethnicity, religion, political opinions, trade union membership, medical conditions and sexual history or orientation.

When Can You Claim After Your Employer Has Breached The UK GDPR?

There are several different scenarios where you could potentially seek compensation after your employer has breached the UK GDPR. We cannot possibly cover every scenario here but we have done our best to give you an idea of how personal data breaches in the workplace can happen.

Examples of employers violating UK GDPR rules can include:

  • Your employer sends a group email to staff and clients but fails to use blind carbon copy, resulting in the email addresses of several employees being sent out to clients including your own.
  • Inadequate physical security resulted in copies of your employee documents being lost and later accessed by unauthorised persons.
  • A lack of sufficient antivirus software enabled cyber criminals to break into company systems and steal employee records.
  • The company’s HR department had failed to set a password on one of the company laptops. An unauthorised employee was therefore able to access your HR records, including details of a racial discrimination complaint you had raised the previous week. This caused significant distress and anxiety.

You can check if you are eligible to claim for a GDPR breach at work by speaking to our advisors. Our team is available to take your call 24 hours a day. Get in touch with us today using the details given below.

How Should Employers Protect Employees’ Data?

Employers should take steps to protect personal data themselves and may also empower you to protect your own data. Simple security protocols are an important tool for employers to prevent UK GDPR breaches. Remember, the UK GDPR applies whether you are working in an office or remotely.

If your personal data is stored on a computer, it may need to be protected by a username and password and only accessible to people if absolutely necessary. Regular password changes can help increase security.

If your personal data is written down, then document management processes like keeping desks clear from papers, locking storage cabinets and properly destroying out-of-date records are vital.

Furthermore, employees should feel comfortable discussing what employers do with their personal data. Your workplace may have a policy that you can read and understand, and should also provide training if needed so employees know their rights and how to access, retrieve or delete their personal data.

What Happens If Your Employer Has Breached The UK GDPR?

If you are concerned that your employer has breached the UK GDPR, the Information Commissioner’s Office – known as the ICO – can investigate and fine your employer up to £17.5 million or 4% of its worldwide turnover, whichever is higher. It could also decide to issue a warning or compliance order, or ban your employer from processing personal data for a certain amount of time.

Employers are legally required to alert the ICO to a data breach within 72 hours of discovering it. They should also take certain steps of their own at the same time as or before alerting the ICO, particularly when it comes to trying to stop the breach and identifying any risks arising from it. The lengths that your employer is required to go to in the event of a data breach depends on the risk of harm that the breach creates.

For example, if they sent an email containing your personal information to someone outside the business or another employee, they could recall the email before it is opened. If an employee database is the subject of a phishing attack, they might have to take more action to get your information back or stop the hackers from using it.

How Much Could You Claim If An Employer Has Breached The UK GDPR?

There amount of data breach compensation you may receive after a data breach claim depends on different factors such as how serious the breach is and what you suffered.

The law allows you to claim for both material and non-material damage caused by your employer’s GDPR breach. Material damage means damages relating to your finances. For instance, if money was stolen from your bank account or your credit rating goes down, you could recover the loss. Non-material damage means harm relating to your mental health. This could be the ongoing anxiety you may suffer as a result of knowing that your personal information was leaked.

We’ve used figures from the Judicial College Guidelines (JCG) to create the below compensation table, except for the first figure. The JCG is a publication solicitors may use when valuing injuries. It contains potential compensation award brackets for various injuries, including psychological harm.

Injury SeverityGuideline Compensation Figure
Very Serious Psychological Distress With Material DamageVery SeriousUp to £500,000 +
General Psychiatric HarmSevere (a)£66,920 to £141,240
Moderately Severe (b)£23,270 to £66,920
Moderate (c)£7,150 to £23,270
Less Severe (d)£1,880 to £7,150
Post-Traumatic Stress DisorderSevere (a)£73,050 to £122,850
Moderately Severe (b)£28,250 to £73,050
Moderate (c)£9,980 to £28,250
Less Severe (d)£4,820 to £9,980

Because of a case from 2015 known as Vidal-Hall and others v Google Inc, you can now make data breach claims for this kind of mental harm regardless of whether you also suffered material damage.

Give our compensation calculator a try to see what you may be entitled to, or contact one of our expert data breach lawyers for more information.

No Win No Fee Data Breach Claims

If you are eligible to seek compensation for an accidental data breach at work that compromised your personal data, you may like to have the support of a solicitor. If so, one of our data breach solicitors could work on your claim. Typically, they work under a Conditional Fee Agreement (CFA). This is a type of No Win No Fee arrangement. 

When your solicitor works under the terms of a CFA, they generally don’t request you pay any upfront or ongoing fees for their services. They also won’t charge you for work on your case if your claim doesn’t succeed.

However, if your claim does succeed, your solicitor will deduct a success fee from your compensation. This amount is a legally limited percentage. 

If you have questions about what to do if the UK GDPR is breached and you suffer harm as a result, contact an advisor from our team. They can evaluate your case for free, and if you meet the eligibility criteria to make a claim for a breach of the UK GDPR at work, you could be connected to one of our solicitors. 

To talk to an advisor:

  • Call 0800 073 8804
  • Have an advisor call you back by filling in our ‘contact us’ form. 
  • Connect via our live chat.

Read More Articles On Data Breach Claims

You can find more articles on data breach claims below:

Claiming compensation for disciplinary record breaches – Advice about what to do if your employer exposed your disciplinary information in a data breach

Data breach claim FAQs – Answers to our most frequently asked questions when it comes to claiming for data breaches

My Personal Data Has Been Lost After a Breach – Find out what you could do if your personal data has been lost after a breach

ICO – Find out more about your rights under the UK GDPR from the Information Commissioner’s Office

Personal data an employer can keep about you – a government guide

Data Protection – the Government’s explanation of personal data protection

If you have any questions about claiming following a data breach caused because your employer has breached UK GDPR, why not get in touch?

Meet The Team

  • Patrick Mallon legal expert author

    Patrick Mallon (BA, PgDl) is a Grade A personal injury solicitor and head of our EL/PL department, which handles accidents at work and public liability claims, such as slips, trips and falls. He qualified in 2005 and has over 20 years of experience. Patrick is an expert No Win No Fee lawyer and well-known for his successful case, Billie Mae Smith v McDonalds. You can learn all about Patrick, his qualifications and his experience as a solicitor here. Get in touch today for free to see how Patrick and the team can help you.

    View all posts Personal Injury Solicitor