What are the repercussions of a GDPR breach by employers?

A GDPR breach can be a costly error for employers! To ensure compliance with these stringent regulations as an employer it is essential to be able to determine where your responsibility lies.

It is important to establish your status prior to the processing of any data so to ensure that there are no gaps in demonstrating your compliance. The regulations utilise a variation of different definitions that seek to define those who are either a data subject, data controller or data processor. An employer will primarily be considered to be a data controller by virtue of exercising direct control over their employees’ data and determining the purpose for which their data can be processed. In contrast, a data processor processes the data for and on behalf of the data controller; for example, a third party pension provider used in the workplace. Therefore, as a data controller, employers may find themselves liable under GDPR.

How will the ICO react to a GDPR breach?

GDPR affords supervisory authorities, such as the Information Commissioner’s Office (ICO), with an array of powers to enable it to obtain compensation for those data subjects who have been the victim of a breach of data protection. The ICO may serve a variety of written notices, whether this be an information notice requiring an employer to provide evidence that it has complied with GDPR, an assessment notice requiring the ICO to investigate the employer’s actions, or an enforcement notice requiring the employer to take, or refrain from taking, the steps outlined in the notice itself. Failure to comply with these notices could result in the ICO issuing a penalty notice, which is why if you are issued with such a notice you should take action imminently.

Penalties for a GDPR breach

Penalties issued by the ICO can see the collapse of a business due to the hefty fees that may be payable. Where the GDPR breach relates to the processing of data or a data subjects’ rights, the maximum amount of the penalty that the ICO may impose can be up to 4% of the undertaking’s total annual worldwide turnover in the proceeding financial year, or up to 20 million euros or the equivalent in sterling, whichever is greater. As an employer, if you are found to be in breach of your obligations as a data controller, the fine can be up to 10 million euros or the equivalent in sterling, or 2% of the undertaking’s total annual worldwide turnover, again whichever is the highest.

When considering whether to impose a penalty fine, the ICO will take account of an array of different factors including the actions taken by the employer, as a controller, to mitigate any damage suffered by data subjects. If you are an employer it is therefore crucial to ensure that you are compliant with data protection principles and must implement all appropriate technical and organisational measures, including data policies and procedures. If you are the receiver of a fine issued by the ICO and require advice on the next steps involved, or if you require legal assistance with demonstrating your compliance with these stringent regulations, including putting in place appropriate policies and procedures, then please do not hesitate to contact our Commercial Services Department who will be happy to assist.

Find out why updating your terms and conditions is an important way to stay the right side of GDPR in our recent article.