My Employer Has Breached GDPR, Can I Make A Claim?
By Danielle Jordan. Last Updated November 2nd 2023. This guide explains when you may be entitled to compensation because your employer has breached the UK GDPR. Personal data is any information that can be used to identify someone, and the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation, known as UK GDPR, are laws that set out what steps a business – including your employer – must take to secure it.
A data breach is a security incident in which the availability, confidentiality, or integrity of your personal data is compromised. This could happen if your workplace is the deliberate target of a phishing attack, or if your employer fails to take reasonable care of your personal data.
Claiming for a UK GDPR data breach by your employer
While this can be distressing, there is help at hand. Read on for more information about how a breach could come about, how much compensation you may be entitled to and how our expert solicitors can help.
If you think you have a claim, give us a call at 0800 073 8804 or fill out our online claim form and one of our experts will get right back to you.
Select A Section
- How Could Your Employer Have Breached The UK GDPR?
- What Data Could Employers Handle?
- How Should Employers Protect Employees’ Data?
- What Happens If Your Employer Has Breached The UK GDPR?
- How Much Could You Claim If An Employer Has Breached The UK GDPR?
- No Win No Fee Data Breach Claims
How Could Your Employer Have Breached The UK GDPR?
The UK GDPR and the Data Protection Act 2018 set out how the personal data of UK residents is to be protected and handled by data controllers and data processors. A data controller determines why personal data is to be processed as well as how to process it. The controller may instruct a data processor to process personal data on their behalf. Your employer may play both roles.
Should your employer fail to protect your personal data and a breach of the UK GDPR at work occurs, you could be eligible for compensation.
However, you must satisfy the data breach compensation eligibility criteria as set out in Article 82 of the UK GDPR. This means that you must have evidence that proves:
- The breach happened as a result of the data controller or processor failing to comply with the data protection legislation.
- Your personal data must have been compromised in the breach.
- Due to this compromise in your personal data, you suffered emotional and/or financial harm.
In addition to meeting the above criteria, you must start your case within the data breach claims time limit. This is typically 6 years. However, if your claim is against a public body, this is reduced to 1 year.
Speak to one of the advisors from our team to discuss what potential steps you could take if the UK GDPR is breached and you suffer harm as a result.
What Data Could Employers Handle?
Our employers hold personal information that is protected by the UK GDPR. Personal data or personal information is information that can be used to identify you, whether indirectly or directly.
Personal data includes your name, address, date of birth, sex and National Insurance number. It also covers information relating to your work history, such as your disciplinary records, your pay, any training you’ve been given and any accidents you might have had while at work.
Personal data that’s considered sensitive, however, it requires more protection. Sensitive data includes your race, ethnicity, religion, political opinions, trade union membership, medical conditions and sexual history or orientation.
How Should Employers Protect Employees’ Data?
Employers should take steps to protect personal data themselves and may also empower you to protect your own data. Simple security protocols are an important tool for employers to prevent UK GDPR breaches. Remember, the UK GDPR applies whether you are working in an office or remotely.
If your personal data is stored on a computer, it may need to be protected by a username and password and only accessible to people if absolutely necessary. Regular password changes can help increase security.
If your personal data is written down, then document management processes like keeping desks clear from papers, locking storage cabinets and properly destroying out-of-date records are vital.
Furthermore, employees should feel comfortable discussing what employers do with their personal data. Your workplace may have a policy that you can read and understand, and should also provide training if needed so employees know their rights and how to access, retrieve or delete their personal data.
What Happens If Your Employer Has Breached The UK GDPR?
If you are concerned that your employer has breached the UK GDPR, the Information Commissioner’s Office – known as the ICO – can investigate and fine your employer up to £17.5 million or 4% of its worldwide turnover, whichever is higher. It could also decide to issue a warning or compliance order, or ban your employer from processing personal data for a certain amount of time.
Employers are legally required to alert the ICO to a data breach within 72 hours of discovering it. They should also take certain steps of their own at the same time as or before alerting the ICO, particularly when it comes to trying to stop the breach and identifying any risks arising from it. The lengths that your employer is required to go to in the event of a data breach depends on the risk of harm that the breach creates.
For example, if they sent an email containing your personal information to someone outside the business or another employee, they could recall the email before it is opened. If an employee database is the subject of a phishing attack, they might have to take more action to get your information back or stop the hackers from using it.
How Much Could You Claim If An Employer Has Breached The UK GDPR?
There amount of data breach compensation you may receive after a data breach claim depends on different factors such as how serious the breach is and what you suffered.
The law allows you to claim for both material and non-material damage caused by your employer’s GDPR breach. Material damage means damages relating to your finances. For instance, if money was stolen from your bank account or your credit rating goes down, you could recover the loss. Non-material damage means harm relating to your mental health. This could be the ongoing anxiety you may suffer as a result of knowing that your personal information was leaked.
We’ve used figures from the 16th edition of the Judicial College Guidelines (JCG) to create the below compensation table. This was produced in April 2022. The JCG is a publication solicitors may use when valuing injuries. It contains potential compensation award brackets for various injuries, including psychological harm.
| Injury | Potential Award | Comments |
|---|---|---|
| Psychiatric: Severe | £54,830 to £115,730 | There’s significant difficulty coping with work, education and life. |
| Psychiatric: Moderately Severe | £19,070 to £54,830 | Significant problems coping with life but the prognosis is better than for those with severe psychiatric damage. |
| Psychiatric: Moderate | £5,860 to £19,070 | There’ll be improvement by the time of trial and there’ll be a good prognosis. |
| Psychiatric: Less Severe | Up to £5,860 | The extent to which everyday activities and sleep were affected will be taken into account when calculating the award. |
| Anxiety Disorder: Severe | £59,860 to £100,670 | Permanent effects to the extent that the person can’t work at all. |
| Anxiety Disorder: Moderately Severe | £23,150 to £59,860 | Effects will still cause disability. |
| Anxiety Disorder: Moderate | £8,180 to £23,150 | Largely recovered and no effects that are disabling. |
| Anxiety Disorder: Less Severe | Up to £8,180 | A practically full recovery within 1 to 2 years. |
Because of a case from 2015 known as Vidal-Hall and others v Google Inc, you can now make data breach claims for this kind of mental harm regardless of whether you also suffered material damage.
Give our compensation calculator a try to see what you may be entitled to, or contact one of our expert data breach lawyers for more information.
No Win No Fee Data Breach Claims
If you are eligible to seek compensation for an accidental data breach at work that compromised your personal data, you may like to have the support of a solicitor. If so, one of our data breach solicitors could work on your claim. Typically, they work under a Conditional Fee Agreement (CFA). This is a type of No Win No Fee arrangement.
When your solicitor works under the terms of a CFA, they generally don’t request you pay any upfront or ongoing fees for their services. They also won’t charge you for work on your case if your claim doesn’t succeed.
However, if your claim does succeed, your solicitor will deduct a success fee from your compensation. This amount is a legally limited percentage.
If you have questions about what to do if the UK GDPR is breached and you suffer harm as a result, contact an advisor from our team. They can evaluate your case for free, and if you meet the eligibility criteria to make a claim for a breach of the UK GDPR at work, you could be connected to one of our solicitors.
To talk to an advisor:
- Call 0800 073 8804
- Have an advisor call you back by filling in our ‘claim online’ form.
- Connect via our live chat.
Read More Articles On Data Breach Claims
You can find more articles on data breach claims below:
Claiming compensation for disciplinary record breaches – Advice about what to do if your employer exposed your disciplinary information in a data breach
Data breach claim FAQs – Answers to our most frequently asked questions when it comes to claiming for data breaches
My Personal Data Has Been Lost After a Breach – Find out what you could do if your personal data has been lost after a breach
ICO – Find out more about your rights under the UK GDPR from the Information Commissioner’s Office
Personal data an employer can keep about you – a government guide
Data Protection – the Government’s explanation of personal data protection
If you have any questions about claiming following a data breach caused because your employer has breached UK GDPR, why not get in touch?
