Guides & articles Breach of confidentiality at work – What happens if an employee breaches GDPR?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
what happens if an employee breaches gdpr?

Your employees can have access to a lot of sensitive information about your business, like financial data and client details to name a few examples. If you have suffered a breach of confidentiality at work we can help put you in contact with expert solicitors that will investigate your data breach compensation claim.

Confidentiality breaches at work can be prevented by incorporating confidentiality clauses and restrictive covenants in your employment contracts. These should clearly set out to your employees what information they cannot disclose. Also, confidentiality clauses help to provide an explanation of what your expectations are and the consequences for any employee that misuses workplace data. Putting these boundaries in place will not only create trust between you and your employees and a better working relationship but it will protect your business too.

If you are an employee who has been the victim of a data breach click here for more information.

What is classed as a breach of confidentiality?

A confidentiality breach happens when an employee, contractor, or worker shares or uses specific information that could damage your business, its clients, or other employees. By law business information can be broken down into four types, they are:

  •       Trade secrets – details that are protected during and after employment even if there isn’t a confidentiality clause in your contract
  •       Confidential information – protected information that your employees know is confidential or it is obvious that it should not be used
  •       Employee’s skill or knowledge – employee information that helps them to do their job
  •       Public information – details that can’t be protected.

Different forms of information can be protected from a confidentiality breach in different ways. For instance, trade secrets are always protected no matter if they are referred to in your employment contracts or not.

As an employer you might want to protect intellectual property rights, trade secrets, competition from clients (such as through a clause within a contract saying that employees can’t use client lists to entice them away during or after termination of employment).

How can you protect your business from a breach of confidentiality?

Including the following in your contracts can help you protect your business when it comes to confidentiality breaches.

  •       An express duty of confidentiality – this is when you state in your contracts what information is confidential, what your employee’s obligations are, and what the consequences will be if they share that information
  •       Restrictive covenants – stopping an ex-employee from competing with your business for a certain amount of time after they have left your business.

There is an implied duty of good faith with employment contracts. This can provide some protection against employees sharing confidential information while they work with you but not if they have left. So, there is a high level of risk involved with implied duty.

Another thing to consider is whether all employees need access to specific areas of sensitive information such as client details. Where possible you should limit employee access to confidential information in order to lower the risk of a breach.

What should you do if you face a breach of confidentiality at work?

The most common approach when you discover a breach of confidentiality is to let your employee know that you are aware that they have breached confidentiality. You will have to inform them of the consequences and ask for an undertaking to stop misusing your business information.

You can pursue a legal claim against an employee in the event that they refuse to agree to an undertaking, or the breach has resulted in substantial harm to your business. A legal claim could lead to an injunction (a court order that stops someone using your private information) or damages that the employee is required to pay to you. The court will determine if an injunction or damages is more suitable based on how serious the breach of confidentiality is.

What are the consequences for an employee who breaches confidentiality at work?

Termination of employment

If your employee has intentionally and continuously breached confidentiality in your business, you can terminate their employment. You would need to complete an investigation and take any mitigation (supporting evidence they provide) into consideration before dismissal.

A civil lawsuit

If an employee has made a breach of confidentiality and is no longer employed by you then you can start legal action in the civil courts and/or an injunction.

Damaged reputation

This could affect the employee and the employer, depending on what information has been misused. As a business you could have a defamation claim for slander or libel against your employee. Going forward the employee might struggle with a negative reputation when attempting to seek other employment and the information breached could lead to an impacted reputation for your business too.

Guides & articles What is considered a breach of GDPR?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
what is considered a breach of GDPR?

Firstly, what is the GDPR?

The General Data Protection Regulation (GDPR) came into effect in 2018 and unifies the rules for processing personal data by private and public companies. The regulation aims to ensure the protection of personal data across all industries. The principles for the processing of personal data under the GDPR are:

  •       To do so lawfully
  •       Fairly
  •       Be completely transparent on how data will be stored, processed, and used
  •       Have a clear purpose for using the data
  •       Keep personal data storage to a minimum as much as possible
  •       Be accurate with what data you need and don’t collect unnecessary information
  •       Don’t store data for longer than you need it and delete information safely
  •       Have integrity and do everything you can to protect personal data
  •       Be accountable for your actions


So, what counts as a breach of GDPR?

There has been a lot of confusion surrounding what can be classed as a breach of GDPR and what can’t be. In the GDPR a personal data breach is defined as ‘a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.’ To explore this further personal data breaches can be organised into three categories:

  •       Confidentiality breach  – where there is an unauthorised or accidental disclosure of or access to personal data. This kind of breach is most common with patients’ records at medical centres and hospitals.
  •       Availability breach – where there is an accidental loss of or access to or destruction of personal data. An example of this would be the sort of problem that would arise after a cyber attack that prevented access to and/or destroyed records.
  •       Integrity breach – where there is unauthorised or accidental alteration of personal data.

A data breach could possibly involve all three categories depending on the nature of the circumstances.  


How has the definition of “personal data” changed?

When a company is dealing with business transactions in the past it could have been assumed that personal data strictly refers to account or ID numbers, as well as addresses and dates of birth. Whilst this type of data should still be kept secure the GDPR has expanded the definition of personal data.

Now, personal data is related to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”. This means that social, mental, economic, cultural, and even genetic information will now be considered personal data that is to be protected by GDPR requirements.


What is the penalty for a GDPR violation?

The national supervisory authorities are required by the GDPR to impose certain warnings or fines on data protection offences. Any person who believes that the processing of their data personal data is being done unlawfully has the right to lodge a complaint with the ICO (Information Commissioner’s Office).They can then conduct an investigation into the security measures at that organisation and the degree to which they were at fault and impose a fine based on their findings.


How long does a company have to report a breach of GDPR?

Whether the cause is a cyber-attack, software errors, hardware failure or human error all companies are obliged under the GDPR to report any violation of the protection of personal data to a data protection supervisory authority. Article 33 of the GDPR states that notification of a breach of personal data protection by the responsible party must be made to the competent supervisory authority (ICO) straight away, and if possible within 72 hours of becoming known. If there is a delay in the obligation to register, a reasonable justification for the delay must be provided.

Also, it is important that there is a duty of documentation, so the person responsible must ensure all factors that led to the GDPR breach are clearly presented and documented. The better the company is prepared for a potential GDPR infringement the better the chances of only receiving a small fine or even just a warning.


Now you know what counts as a breach, how can GDPR violations be prevented?

A GDPR violation can happen to any company. The best way to minimise the risk of a breach in an organisation and the resulting consequences is to take preventative measures. As well as having a strong crisis communication strategy, it is advisable to appoint a data protection officer (in some cases this is mandatory). To be sure of the strength of data security in a business, and actively counteract a GDPR violation all applications and software products used by the company should be checked to ensure they comply with GDPR regulations.


What else do you need to know about GDPR and data breaches?

1) Companies need to provide a clear explanation for collecting personal data

Many companies collect a user’s data without their knowledge. Even if the user doesn’t mind there needs to be a clear explanation of how that data will be used. In accordance with GDPR principles, a person must give explicit consent for how their data is being used.

2) Victims must be alerted to any risk

If a breach does occur, the company must contact the affected individuals straight away. According to GDPR principles, it is not appropriate or sufficient to release news of a breach through a press release, on a website, or through the use of social media.

3) GDPR compliance can differ from one company to the next

Compliance has a lot to do with a company’s size, the personal data that is collected via internal communications methods like a team app, as well as the goods and services that are offered.


If you think you have experienced a GDPR data breach contact us today and we can put you in contact with data breach solicitors. They can investigate your data breach claim and see if you have a case that is worth pursuing. If you do have a strong case you could be entitled to compensation not just for the risk of having financial information exposed but for any emotional distress or anxiety you had about having your personal data compromised. 

Guides & articles Is revealing my email address a breach of GDPR?

Peter Hammond Peter is a solicitor who has worked as a professional litigator for many years. More recently Peter has specialised in data breach compensation claims and over the last 2.5 years has gained a wealth of knowledge in this sector. Peter now works with us to share his knowledge and inform the general public.
Is revealing my email address a breach of GDPR?

Although your e-mail address is personal, private, and confidential, revealing it is not necessarily a breach of GDPR. In order for a revealed email address to be considered a breach of GDPR the e-mail address has to fall into a specific category, namely one of the following:

  • A personal e-mail address such as Gmail, Yahoo, or Hotmail
  • A company email address that includes your full name such as

If the revealed e-mail address does not fall into one of these categories, then there is no case of GDPR or data breach. That means that admin@, info@, and similar business addresses do not fall into a protected category by GDPR. These are public knowledge and accessible by anyone.

However, when a personal email address or e-mail address containing PII (Personal Identifiable Information) is widely distributed or leaked it opens up the recipient to spam and viruses, as well as unwanted attention and easier ways to track the owner. When the e-mail address contains PII, be it a personal or business email address, this can also become dangerous if the information falls into the wrong hands.

How do email addresses get shared?

When you give your email address to a company you are entrusting them with personal information. This might be to sign up to something, enter a competition, join a mailing list, or even receive quotes or other information. Prior to the implementation of GDPR and the Data Protection Act of 2018, this information could be more easily shared with other companies who would pay for good email addresses for marketing purposes. Thankfully, new laws mean that companies cannot share your information without your express consent.

So how does an e-mail address get revealed at all?

There are different ways that your email address may have been leaked, and not all of them are malicious or intended – however, they are still an abuse of your rights and a breach of GDPR. Some of the offences include:

  • Using the CC (carbon copy) field in emails instead of the BCC (blind carbon copy) field, meaning all addresses are visible to all recipients
  • Accidentally sending information to the wrong email address. This is especially prevalent where an autofill has been used to address an email.
  • Forwarding an email chain without checking all personal and private information has been removed from the visible content
  • E-mail addresses and other data not being stored correctly or safely so it is more easily hacked
  • Disgruntled employees or criminal activity within companies where e-mail addresses are stolen or copied and shared outside the company

We are ready to help you get the compensation you deserve

Start my free data breach claim

100% Privacy Guaranteed

No span Policy

What can I do if my email has been revealed?

How you respond to your leaked or revealed e-mail address is usually up to you and is based on the severity of the breach. For instance, if your email address was leaked in a group of email addresses for people with certain medical conditions then the severity of the leak or breach is much worse than if your email address was revealed in a general information mailing list where you were CC’d instead of being BCC’d.

If you feel that the revelation or breach is serious then you should start by reporting it to the company directly. You may find that they are willing to make reparations immediately or were not even aware of the problem. The company or person who revealed your email address is then responsible for reporting the breach to the supervisory authority within 72 hours of finding out about it. 

The supervisory authority will then investigate and will usually decide on the suitable disciplinary actions to be taken out, if necessary.

You can also ask to see the correspondence between the company and the supervisory authority as it pertains to you and your information.

This is all laid out in Article 33 of GDPR terms.

If you still feel that you have suffered injury or damage because your email address was revealed then you may be able to take the matter further. If someone else having access to your email address has resulted in measurable psychological or financial damage, then you may be able to claim compensation if you can prove that the injury or damage were directly linked to the data breach. 

How we can help with an e-mail GDPR violation

If your information has been leaked and you have suffered as a result, possibly through harassment, hacking, or other abuse of your e-mail address, then you are probably feeling vulnerable and uncertain. At Data Breach Claims we put you back in control and put you in contact with one of the best data breach solicitors in the UK. 

They will offer a free initial consultation to help you decide if your case is worth pursuing, and work on a No-win, No-fee basis. Our goal is to give you the best possible result.

0333 070 5800
Lines open 9am - 5pm Mon to Fri

Egerton House, 2 Tower Road, G5D, Birkenhead CH41 1FN

Start My Claim

© DataBreach Claims . © DataBreach Claims 2022. Data Breach Claims is a trading name of SJS Legal Limited (company number: 10598802). SJS Legal is authorised and regulated by the Solicitors Regulation Authority (SRA Number: 639197). This website is operating in accordance to the privacy policy. ICO reg no. ZA473694. Data Breach Claims connects clients to regulated solicitors who deal with data breaches. We do not perform any legal services but simply connect you to a legal representative.

Check free if you're owed an average £4,000 refund

Start My FREE Data Breach Claim 100% Safe & secure, no win no fee check