By Jo Anderson. Last Updated 10th August 2023. The UK General Data Protection Regulation (UK GDPR) is legislation intended to protect your personal information when it is collected, stored or processed by an organisation. There are rules for how it can be used and how it must be kept confidential and secure. Your employee data is your personal information and if you suffered harm because your employer breached the UK GDPR, which caused a data breach and you suffered as a result, you could be eligible to make a claim for compensation.
This is a guide about data breaches: we’ll talk about the different reasons an employer can be found liable for a data breach and the guidelines the UK GDPR sets out for the use and protection of your data. We’ll also inform you of the steps you can take if you were affected by a breach and how you can contact a data protection solicitor to help you make a claim for compensation.
You can also speak to an adviser about any questions you might have about making a claim. They offer free initial consultations and can be contacted by:
Select A Section
- What Is Employee Data?
- How An Employer Could Have Breached The UK GDPR
- What Happens If An Employer Breached The UK GDPR?
- How Do You Ensure Data Protection In The Workplace?
- What Could You Claim If Your Employer Breached The UK GDPR?
- Begin A Data Breach Claim Against Your Employee
Any information that could be used to identify you can be considered personal information. This can come in the form of:
- Unique information that you can be directly identified from (such as images of your face or your name)
- Information can be used with other pieces of data to identify you (such as your date of birth when linked with your place of work)
When your personal information is created, collected or used at your place of work, it becomes employee data. The collection of employee data, and the organisations with access to the data, are subject to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. There are rules for how personal data can be collected, how it must be stored, who it can be shared with and how it must be kept secure.
Your employer taking any actions with your data that go against the regulations set out in the legislation could mean your employer has breached the UK GDPR.
Below, we’ll examine some ways an employer could have breached the UK GDPR.
A failure to secure your data:
Once an employer collects your data, it becomes their responsibility to make sure that it is stored securely.
It falls on an employer to be aware of and implement good data security practices at a place of work, as well as be alert to and discourage bad practices.
An outside party gaining access to your information because your employer failed to take all necessary actions to secure your information, could see your employer found liable in a claim.
Inappropriate use of your data:
Your employer using or sharing your data without a lawful reason can be considered a data breach. Whether it is data they have collected about you, or data you have provided to them, your employer has restrictions over what they can do with your information.
The UK GDPR sets out the lawful bases of processing which can act as a guideline to measure whether the use of data could be considered appropriate.
- Consent: You have given your employer your consent to use your personal data in such a way.
- Contract: Your employer’s use of your data is necessary to fulfil the contract you have with them.
- Legal Obligation: Your employer has to meet a legal obligation.
- Vital Interest: It can protect a life.
- Public Task: Your employer is using your data in a way that serves the greater public interest.
- Legitimate Interest: The use and sharing of your data serves a legitimate interest.
If you suffered harm because your personal data was breached due to your employer’s wrongful conduct, you could be eligible to make a claim for compensation.
Collecting Data They Were Not Allowed To Collect:
Some personal data is considered sensitive under the UK GDPR and so comes with more protections. Unless your employer has a lawful reason, they are not allowed to collect special category data which is data relating to your:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- Health data;
- Sex life;
- sexual orientation.
Employers are expected to fill out a Data Protection Impact Assessment (DPIA) form when processing special category data and must make sure their use and collection of the data is in line with the reasons and scope stated on the assessment form.
A DPIA will also be necessary when using mass surveillance technology like CCTV. While your employer is allowed to use CCTV, they cannot employ it in a way that is invasive of privacy or use any of the footage in a manner that does not fit in with the lawful bases.
If your employer breached the UK GDPR, which caused a data breach, and this led to you suffering harm, reach out to one of our advisers now for information on the steps you can take.
If an employer is found to have breached the UK GDPR, they could be fined up to £17.5 million by the Information Commissioner’s Office or 4% of their turnover, depending on the higher fine.
Data breaches are taken seriously, and if you suffered harm from an employer data breach, you can contact one of our advisers for information on the next steps to take.
Time Limit For Employer Data Breach Claims
There are restrictions on how long you could have to launch an employer data breach compensation claim.
Generally, you will have 6 years to start a personal data breach claim. However, if you are making your claim against a public body, this time limit is reduced to 1 year.
One of the benefits of working with a solicitor on your claim is that they can ensure that your claim is filed within the correct limitation period. To see if you could be eligible to work with one of our No Win No Fee solicitors, you can contact our advisors. They could also help you with what steps you should take should an organisation be in breach of the UK GDPR and how to claim compensation.
Employees at any level might be asked to process, or at some point, have access to employee data.
They might not always be aware of the standards set out in data protection laws. Providing training and having strict data protection policies in place can help prevent breaches.
Instilling better security practices can help prevent outside access to personal information. Discouraging practices such as accessing employee data on personal or shared laptops and carefully monitoring and regulating how employee data is shared (such as via emails) can help maintain the security of workplace data.
Can You Sue A Company For Breaching The UK GDPR?
You can sue your place of employment, or any company holding your data, for a data breach.
To be eligible to make a claim, you would have to prove you suffered harm from the breach. Evidence can come in the form of:
- Financial Evidence: Records of how the breach affected you financially.
- Medical Evidence: Medical records of a diagnosis of you suffering mental harm such as Post Traumatic Stress Disorder or distress from the breach.
Our advisers can offer you more information on the steps to take, to formally make a claim for compensation if you suffered harm because your employer breached the UK GDPR.
Compensation can be awarded to address the harm you suffered from a data breach.
For any financial harm, you can seek out compensation under a head of claim known as material damages. This can address any financial losses you suffered as a result of the breach such as:
- Money stolen from you, using the data exposed in the breach (such as credit card data)
- Costs you’ve spent on your treatment
- Financial income loss, if you had lost out on work because of the breach
For mental harm, you can seek compensation under a head of claim known as non-material damages. The Judicial College Guidelines list potential compensation brackets for a psychological injury. We’ve included a table with figures from the 2022 edition to highlight compensation estimates.
|Severe PTSD leaving the claimant unable to function in life
|£59,860 to £100,670
|Moderately Severe PTSD
|Professional help has helped the claimant but they will still suffer significantly
|£23,150 to £59,860
|Claimant will have mostly recovered with some remaining effects
|£8,180 to £23,150
|Less Severe PTSD
|Claimant will have recovered within a year
|£3,950 to £8,180
|Severe Psychiatric Damage
|Severe affects to the claimant’s ability to go through life
|£54,830 to £115,730
|Moderately Severe Psychiatric Damage
|The claimant’s ability to go through life was heavily affected, but there is optimism about recovery
|£19,070 to £54,830
|Moderate Psychiatric Damage
|Claimant will have suffered problems with coping with life but is showing improvement
|£5,860 to £19,070
|Less Severe Psychiatric Damage
|Claimant could not perform daily activities for a short period of time
|£1,540 to £5,860
The ruling in the Court of Appeal case, Vidal-Hall and others v Google Inc 2015, means the two kinds of compensation can be sought independently. You do not need to have suffered financial harm to make a claim for suffering psychological harm from the breach.
Our advisers can offer you more information on compensation in UK GDPR data breaches and possibly value your claim.
Our data breach solicitors offer No Win No Fee arrangements for every claim they take on. This is a conditional fee agreement in which they would not charge you an upfront solicitor fee to handle your claim nor any ongoing solicitor fee.
Payment would only be taken on the condition that your claim was successful and you were awarded compensation. This would be a success fee; a legally capped percentage of the compensation awarded. If you were not awarded compensation, they would not charge you a success fee.
To see if you can speak to one, why not get in touch with one of our advisers. You can reach them now via:
Related Workplace Data Breach Claims
Below are some additional resources you might find useful:
- ICO: The ICO has a guide explaining the process of making a claim for compensation
- ICO: The ICO also has a guide on how to respond to a personal data breach
- GOV: The government’s guide to the personal data an employer can keep about an employee
Thank you for reading our guide on what could happen if your employer breached the UK GDPR. We offer other guides on topics such as:
- Making A Claim After Suffering Injuries In A Crime
- Claims Against A Housing Association For A Data Breach
- Post Office Data Breach Claims
Please get in touch with our advisers for any information you might need.