By Max Morris. Last Updated 16th June 2022. What happens if an employee breaches UK GDPR? Does this mean personal data has been exposed?
In order to safeguard against personal information being mishandled or exposed organisations that decide why and how data is collected must adhere to legislation such as the UK General Data Protection Regulations (GDPR) which works alongside the Data Protection Act 2018.
These laws ensure that all organisations that handle our personal information must put steps in to protect it. If an employee caused a data breach through human error could this mean those affected are entitled to make a personal data breach claim?
In this article, we discuss how you can put together a claim for compensation based on a data breach that impacted you. Perhaps you have already started to experience adverse issues such as funds missing from your accounts or an increase in unwanted emails? The consequences of a data protection breach can be distressing and cause very real health issues.
Read on or get in touch with our team now to discuss what practical steps you can take to address these problems.
- Call us at 0800 408 7825
- Or reach out by email at Public Interest Lawyers
- Alternatively, you can use the ‘live support’ option to the bottom of this screen
Select A Section
- What Happens If An Employee Breaches UK GDPR?
- How Could Employees Breach The UK GDPR?
- How Can Employee Data Breaches Be Prevented?
- What Personal Data Could Be Involved In The Breach?
- Compensation Payouts For a Data Protection Breach at Work
- Can I Start A No Win No Fee Claim After An Employee Breaches UK GDPR?
Together with the Data Protection Act, 2018, the UK General Data Protection Regulation seeks to protect the data rights of the public. An independent body called the Information Commissioner’s Office (ICO) upholds information rights and enforces these laws.
UK GDPR requires all data controllers, usually, organisations that say why and how personal data is processed, to practice a strict code of conduct around the use of personal information. With this in mind, organisations and companies must provide clear training for their staff and ensure they are aware of the UK GDPR regulations.
A personal data breach can cause tremendous suffering and financial harm. So companies and their employees have a duty to follow precise standards when it comes to the information of clients, users, or customers. Failure to uphold data protection laws such as the UK GDPR can be investigated by the ICO and penalties issued.
Data breach problems caused by employees can be both accidental or deliberate with human error being a major factor. When there has been positive wrongful conduct on the part of the data controller that results in a personal data breach for others it may be possible for you to seek damages against the data controller.
It is vital that organisations that process personal data and information train their staff on data protection awareness. As if an employee through human error causes a personal data breach in which you suffer harm there is a possibility you could make a data breach claim.
So what happens if an employee breaches UK GDPR? Not all breaches of data protection law will mean a personal data breach will result. Also, a personal data breach does not automatically qualify the data breach victim for compensation.
Call our advisors for your fee consultations and they can tell you whether you have a valid case.
Personal information is mainly used by two main groups called ‘controllers’ and ‘processors‘. Personal information is shared and used by these groups for an array of tasks and consent is not always strictly necessary. However, both these groups have a duty to comply with UK GDPR.
UK GDPR identifies 7 core principles of good conduct around the use, collection, storage, and sharing of personal information:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Employees who do their utmost to comply with these core principles can do much to prevent problematic data breach issues. As the victim of a security incident that leads to a data breach, you must be able to demonstrate that the data controller in question handled your personal information in a way that contravenes UK GDPR to be able to make a claim.
Personal Information Breaches
Unfortunately, these ideal standards may not always be met. If there is a data security training problem or an IT security issue, there is room for a breach to occur.
Personal data breaches that affect the rights and freedoms of a data subject must be reported by the company to the ICO within 72-hours. If an employee has breached your details in a way that is likely to result in a heightened risk of adversely affecting that individuals’ rights and freedoms, the company must inform the data subject without delay.
Firstly, you should contact the company involved if you have data breach concerns. Furthermore, you can raise a concern with the ICO whenever you wish. But it’s important to make your complaint to the ICO no later than three months after the last meaningful contact with the company concerned as, after this date, they may consider the matter closed.
You can use a template on the ICO website to raise a concern with an organisation or complain directly to the ICO. As well as this, you can start a personal data breach case for compensation to recover your damages caused by the data breach.
Data breaches can happen in a variety of ways. Not all the information that a data controller holds about you is protected by data security laws. Personal data such as your name, address, DOB and sensitive data such as your religion, medical information and ethnicity are all types of information protected under these laws.
If an organisation did all it could to prevent a data breach that still happened anyway, a claim against them is unlikely.
Personal data breaches could happen in the following ways;
- Wrongly addressed emails or letters
- Stolen laptops or security equipment
- Casual conversations
- Computer screens left visible
- Employees who fail to secure paperwork properly
- Personal information transported or stored insecurely
- Employees who fell victim to a phishing attack or other online scam
- An employee who accidentally misconfigured access privileges (allowing unauthorised staff to see content)
What Will Happen To The Employee?
‘Vicarious liability’ is a principle under which employers can be held responsible for their staff actions. With this in mind, they could be subject to enforcement action by the ICO. The company could be liable for damages whether it was an accidental or deliberate act by their employee.
Companies should have a Data Protection Officer who will conduct investigations into how the breach occurred. Different organisations may deal with issues such as this in a variety of ways.
The surest way to prevent employee data breaches is for organisations to follow some practical and obvious steps:
- Implement clear and simple workplace guidelines (such as proper shredding protocols etc)
- Training staff fully on data security principles and awareness
- Make UK GDPR protocol as clear as possible
- Elect a Data Protection Officer
- Provide clear and regular training
- Conduct regular risk assessments
- Ensure IT defence systems are secure
Once again, the more closely a company adheres to the principles outlined in UK GDPR and disseminates these expectations to their staff, the greater their defence against data breach issues for their clients or customers.
Personal and sensitive or special category information is protected under the data protection laws in the UK. This can include:
- Name and address
- Date of birth
- Email details
- Marital status and sexual orientation
- Bank details
- Debit and credit card information
- Criminal records
- Medical records
Therefore, employee conduct is essential in keeping this information secure. It should be noted that just one or two pieces of this personal information could enable a cybercriminal to perpetrate fraud in the data subject’s name.
The Data Protection Act 2018 and UK GDPR apply to all organisations equally. Did the pharmacy employee accidentally send an email with your medical details to the wrong recipient? Did social services ensure they redacted an email concerning you correctly before sending it to someone else? Or perhaps a bank employee caused your credit card information to be exposed?
There are myriad ways that any piece of personal information could be used in a way that harms data subjects. Speak to our team to discuss how you could establish liability for these issues and seek appropriate compensation for the aggravation, distress, or money problems they caused.
You may be wondering, ‘what else happens if an employee breaches GDPR’. If an employee has breached the UK GDPR, and this has caused your personal data to be exposed to unauthorised parties and you to suffer harm, you could potentially claim compensation. You might be wondering how much you could receive in a successful data breach claim.
The two heads of the claim that could be included are material (financial) damages and non-material (psychological) damages caused by the breach. You would only be able to claim for a data protection breach at work if you have suffered one or both of these losses because a member of staff or your employer’s action or inaction led to a personal data breach.
Due to the outcome of two legal cases (Vidal-Hall and Others v. Google and Gulati and Ors v MGN), you are now able to claim for non-material losses due to a data breach without experiencing financial losses. Furthermore, the non-material damages are now assessed using the same criteria as in a personal injury case.
Due to this, the Judicial College Guidelines can give you a clearer idea of what you could receive for psychological injuries. These figures have been taken from the latest guidelines, published in 2022.
|Health Concern||Level of severity||Judicial College Guideline award bracket||notes|
|General psychiatric damage||severe cases (a)||£54,830 to £115,730||acute mental distress that impacts every area of the sufferer's life with poor prognosis for recovery|
|General psychiatric damage||moderately severe cases (b)||£19,070 to £54,830||problems with work, relationships and other issues that prevent normal coping but to a better degree than above|
|General psychiatric damage||moderate cases (c)||£5,860 to £19,070||a better prognosis than the two brackets above with a marked improvemenbt by the time it is necessary to go to trial|
|General psychiatric damage||less severe cases (d)||£1,540 to £5,860||this bracket considers specific mental health issues such as a phobia or disrupted sleep, anxiety or other minor physical symptoms|
|Mental and Emotional Stress (PTSD)||severe cases (a)||£59,860 to £100,670||PTSD of this level severly impacts the sufferer's life and prevents them from partaking in normal activities at anywhere close to the way they did before|
|Mental and Emotional Stress (PTSD)||moderately severe cases (b)||£23,150 to £59,860||a more positive prognosis than above and the extremes of the condition may be mitigated with professional counselling. Still noticeable effects for the foreseeable future|
|Mental and Emotional Stress (PTSD)||moderate cases (c)||£8,180 to £23,150||on the whole a recovery with only slight persisting issues of concern|
|Mental and Emotional Stress (PTSD)||less severe cases (d)||£3,950 to £8,180||a recovery that is complete within 2 years or just minor remaining problems that are controllable|
Please remember that these figures are not guaranteed. This is because every claim is different and, should your claim be successful, the amount you receive can be based on many different factors.
Additionally, please bear in mind that you would need financial evidence, such as receipts and invoices, to claim for material losses. If you would like more information about the claims process, please contact us for free legal advice.
Whilst you are pursuing your data breach complaint with the ICO, you can also seek legal advice. If you decide to engage the services of a data breach specialist, they could help you do this under a No Win No Fee agreement.
There are no fees to hiring a No Win No Fee lawyer. An amount that does not exceed 25% is due as their fee if the case wins. If it does not, there are no fees to pay your No Win No Fee data breach specialist.
Speak to our team now to see how a No Win No Fee agreement could help you fund legal representation. Or for advice on, an employee breached UK GDPR and caused a personal data breach, simply get in touch by:
- Calling us to learn more about what happens after an employee breaches UK GDPR on 0800 408 7825
- Or reach out by email at Public Interest Lawyers
- Alternatively, you can use the ‘live support’ option at the bottom of this screen
What happens after an employee breaches UK GDPR – Further Resources
In conclusion, thank you for reading our article. For more advice if you were wondering what happens if an employee breaches UK GDPR, please refer to the resources below:
- Further help on UK GDPR and data breach compensation
- More information about a data breach caused by a misdirected fax
- Or guidance if you need help with compensation after a dental data breach
- Advice about staying safe online at home
- Data protection advice for your business from the government
- Lastly, read more about mental health issues that could be caused by a data breach
Article by EA