My Employer Has Breached UK GDPR, Can I Make A Claim?
This guide explains when you may be entitled to compensation because your employer has breached the UK GDPR. Personal data is any information that can be used to identify someone, and the UK General Data Protection Regulation, known as UK GDPR, is a law that sets out what steps a business – including your employer – must take to secure it.
A data breach occurs when personal data is lost, destroyed, accessed, changed or disclosed in an unauthorised way, either by mistake or deliberately. This could happen if your workplace is the deliberate target of a phishing attack, or if your employer fails to take reasonable care of your personal data.
While this can be distressing, there is help at hand. Read on for more information about how a breach could come about, how much compensation you may be entitled to and how our expert solicitors can help.
Select A Section
- How Could Your Employer Have Breached The UK GDPR?
- What Data Could Employers Handle?
- How Should Employers Protect Employees’ Data?
- What Happens If Your Employer Has Breached The UK GDPR?
- How Much Could You Claim If An Employer Has Breached The UK GDPR?
- How To Claim If Your Employer Breached The UK GDPR
Employers, even small ones, hold a treasure trove of personal data about their employees. The UK GDPR requires them to ensure that this data is protected as much as is reasonably possible in several ways:
- They must process your personal data lawfully, fairly and in a transparent manner, which means they generally can’t use or obtain your personal data without your permission.
- If they do process your personal data, it can only be for explicit and legitimate purposes that they have explained to you. However, if there’s a lawful basis to share your data without your permission, they can.
- They should only store the minimum amount of information that is necessary.
- Employers must ensure the personal data they have collected on you is accurate.
- They can’t keep it for longer than is necessary.
- They must take steps to ensure your personal data is secure.
- Employers should be ready to be held accountable for not following the above principles.
If your employer fails to abide by any of these rules, they may be in breach of the UK GDPR.
Our employers hold personal information that is protected by the UK GDPR. Personal data or personal information is information that can be used to identify you, whether indirectly or directly.
Personal data includes your name, address, date of birth, sex and National Insurance number. It also covers information relating to your work history, such as your disciplinary records, your pay, any training you’ve been given and any accidents you might have had while at work.
Personal data that’s considered sensitive, however, it requires more protection. Sensitive data includes your race, ethnicity, religion, political opinions, trade union membership, medical conditions and sexual history or orientation.
Employers should take steps to protect personal data themselves and may also empower you to protect your own data. Simple security protocols are an important tool for employers to prevent UK GDPR breaches. Remember, the UK GDPR applies whether you are working in an office or remotely.
If your personal data is stored on a computer, it may need to be protected by a username and password and only accessible to people if absolutely necessary. Regular password changes can help increase security.
If your personal data is written down, then document management processes like keeping desks clear from papers, locking storage cabinets and properly destroying out-of-date records are vital.
Furthermore, employees should feel comfortable discussing what employers do with their personal data. Your workplace may have a policy that you can read and understand, and should also provide training if needed so employees know their rights and how to access, retrieve or delete their personal data.
If you are concerned that your employer has breached the UK GDPR, the Information Commissioner’s Office – known as the ICO – can investigate and fine your employer up to £17.5 million or 4% of its worldwide turnover, whichever is higher. It could also decide to issue a warning or compliance order, or ban your employer from processing personal data for a certain amount of time.
Employers are legally required to alert the ICO to a data breach within 72 hours of discovering it. They should also take certain steps of their own at the same time as or before alerting the ICO, particularly when it comes to trying to stop the breach and identifying any risks arising from it. The lengths that your employer is required to go to in the event of a data breach depends on the risk of harm that the breach creates.
For example, if they sent an email containing your personal information to someone outside the business or another employee, they could recall the email before it is opened. If an employee database is the subject of a phishing attack, they might have to take more action to get your information back or stop the hackers from using it.
Can I Sue My Employer For A Breach Of The UK GDPR?
While the ICO can investigate a data breach and order your employer to take certain actions to protect you and your personal information, it, unfortunately, cannot order your employer to compensate you directly for your loss. For this, you may need to file a claim no more than six years after the data breach.
Our expert data breach solicitors can help ensure you present the right type of evidence for your case to succeed. You’ll need to show that:
- Your employer’s wrongful conduct caused the breach. For example, they didn’t properly train staff in data protection.
- Your personal data was compromised in the data breach.
- You suffered both mental damage and financial loss, or either, as a consequence.
There amount of data breach compensation you may receive after a data breach claim depends on different factors such as how serious the breach is and what you suffered.
The law allows you to claim for both material and non-material damage caused by your employer’s GDPR breach. Material damage means damages relating to your finances. For instance, if money was stolen from your bank account or your credit rating goes down, you could recover the loss. Non-material damage means harm relating to your mental health. This could be the ongoing anxiety you may suffer as a result of knowing that your personal information was leaked.
We’ve used figures from the 16th edition of the Judicial College Guidelines (JCG) to create the below compensation table. This was produced in April 2022. The JCG is a publication solicitors may use when valuing injuries. It contains potential compensation award brackets for various injuries, including psychological harm.
|Psychiatric: Severe||£54,830 to £115,730||There's significant difficulty coping with work, education and life.|
|Psychiatric: Moderately Severe||£19,070 to £54,830||Significant problems coping with life but the prognosis is better than for those with severe psychiatric damage.|
|Psychiatric: Moderate||£5,860 to £19,070||There'll be improvement by the time of trial and there'll be a good prognosis.|
|Psychiatric: Less Severe||Up to £5,860||The extent to which everyday activities and sleep were affected will be taken into account when calculating the award.|
|Anxiety Disorder: Severe||£59,860 to £100,670||Permanent effects to the extent that the person can't work at all.|
|Anxiety Disorder: Moderately Severe||£23,150 to £59,860||Effects will still cause disability.|
|Anxiety Disorder: Moderate||£8,180 to £23,150||Largely recovered and no effects that are disabling.|
|Anxiety Disorder: Less Severe||Up to £8,180||A practically full recovery within 1 to 2 years.|
Because of a case from 2015 known as Vidal-Hall and others v Google Inc, you can now make data breach claims for this kind of mental harm regardless of whether you also suffered material damage.
Give our compensation calculator a try to see what you may be entitled to, or contact one of our expert data breach lawyers for more information.
If you think your employer has breached the UK GDPR, don’t forget you only have a set amount of time to file your claim. You could use the services of a solicitor to help. Our solicitors offer their services on a No Win No Fee basis for every claim they accept.
No Win No Fee means:
- You don’t pay an upfront solicitor’s fee to start a claim.
- You don’t have to pay any ongoing solicitor fees.
- If the claim loses, you don’t pay the solicitor’s fee at all.
- If the claim wins, you do pay their fee, but this is a small percentage of your compensation and it’s capped by law. You’d agree on the percentage with your solicitor beforehand and it’d only be taken after the compensation comes through.
Contact our expert solicitors today to see if you can get the process started. You can also get more information on how much you might claim. Our advisors are available 24/7 and give free legal advice with no obligation for you to continue with the services of our solicitors afterwards.
Get in touch by:
Read More Articles On Data Breach Claims
Claiming compensation for disciplinary record breaches – Advice about what to do if your employer exposed your disciplinary information in a data breach
Data breach claim FAQs – Answers to our most frequently asked questions when it comes to claiming for data breaches
My Personal Data Has Been Lost After a Breach – Find out what you could do if your personal data has been lost after a breach
ICO – Find out more about your rights under the UK GDPR from the Information Commissioner’s Office
Personal data an employer can keep about you – a government guide
Data Protection – the Government’s explanation of personal data protection
If you have any questions about claiming following a data breach caused because your employer has breached UK GDPR, why not get in touch?
Written by Connor
Edited by Victorine