Data-Breach.com has dealt with over 14,000 data breach enquiries

Call free

Can An Individual Be Held Responsible For A GDPR Breach?

Individual held responsible under GDPR

The GDPR is a set of general data processing principles that must be adhered to when processing the personal data of individuals. Failure to comply with GDPR — both UK-GDPR and EU-GDPR — can result in fines amounting to millions, so it’s no surprise that many businesses are concerned. 

However, GDPR is largely intended to relate to organisations rather than individuals who are responsible for processing data. So, can an individual actually get a GDPR fine?

If you’re reading this article, you probably already know something about the General Data Protection Regulation (GDPR) and how it affects data privacy. Read on to find out how UK-GDPR and EU-GDPR affects organisations and potentially individuals within them. 

What is a General Data Protection Regulation (GDPR) fine?

A GDPR fine is a monetary penalty imposed by a supervisory authority like the ICO (Information Commissioner’s Office) on organisations that fail to protect the information of data subjects and do not comply with data protection rules. Since the GDPR is a regulation and not a directive, it’s enforced at the national level within each European country.

This means that they can impose their own fine amounts on organisations, ranging anywhere from a few thousand to millions of pounds/euros, depending on the scale and seriousness of the breach. The GDPR fine amount is usually determined by a number of factors including the organisation’s size, the type and number of violations, and the duration of the non-compliance.

How do you get a GDPR fine? 

An organisation can get a GDPR fine if they fail to comply with its data protection rules. The GDPR covers all organisations that either process personal data or offer goods or services to EU residents, regardless of the organisation’s size. This means that both small and large companies are required to comply with these regulations and are subject to the same fine amounts. 

Can individuals be fined under GDPR?

In very specific circumstances it is possible for an individual to receive a fine, but GDPR fines are usually imposed on organisations. If an organisation is made up of one person, then you can consider that an individual fine, but otherwise, the fine goes to the organisation as a whole. 

UK-GDPR and EU-GDPR does not apply to data processing carried out by individuals for personal/household activities. However, if the person is self-employed and processing personal data as part of their business activities, they could be held responsible in the event of a GDPR breach.

There are other specific circumstances, however, when an individual within a company or organisation can be fined for breaching data privacy law: 

  • Obstructing investigation into non-compliance of GDPR.
  • Submitting false information to the ICO or DPA. 
  • The destruction or falsification of evidence or information. 
  • Obstructing official warrants made as a result of GDPR or other privacy laws. 
  • Unlawfully obtaining personal data without permission from the data controller. 

Essentially, it’s rare for individuals to face a fine for failing to comply with GDPR, unless they are running a business or organisation as a sole trader. In this sort of instance, the business might consist solely of one individual and they are the only person that a fine can be applied to.

Outside of this, examples of data breaches applied to individuals are few and far between. One such example involved an employee who switched to another company but took a lot of client details with them to use in their new position. They were fined less than £1,000 for the GDPR infringement in this instance. 

Even organisations aren’t always guaranteed to face a fine in the event of an alleged data breach. From 2016 to 2017, the ICO looked at around 17,300 cases of data breaches and only 16 actually resulted in a fine.

There are a lot of factors to consider when looking at data breaches and the possibility of a fine, but a surefire way for a company to come under a lot of fire from data privacy breaches is for a lot of GDPR violations to happen at one time or in quick succession. 

Could a manager or director be fined for a data breach by one of their employees?

It is possible for those in positions of responsibility to be held responsible for a breach of data protection law done by someone working for them. Part 7, section 198 of the Data Protection Act 2018 deems that an offence takes place under the Act when it has been committed by a body corporate and that it has been “committed with the consent or connivance of or to be attributable to neglect on the part of; a director, manager, secretary or similar officer of the body corporate, or a person who was purporting to act in such a capacity.”

How much is a GDPR fine?

As explained above, the GDPR fine amount is determined by a number of factors in addition to the organisation’s size. This makes it difficult to accurately predict the amount for any financial penalty for a personal data breach.

However, the ICO has published guidance on GDPR fines and suggests that the punishment for a company that fails with GDPR compliance could range from a few thousand to hundreds of millions. These numbers should be taken with a grain of salt because they are just meant to highlight the broad range of possible GDPR fines.

For breaches under EU-GDPR, administrative fines up to 10 million euros, or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, could be applicable to breaches of data protection principles.

The potential fines are considerably greater than under the old Data Protection Act 1998, where the maximum fine that could be handed out under data privacy laws was £500,000.

Bottom line with GDPR fines

GDPR fines vary and are determined by a number of factors including the organisation’s size, the type and number of violations, and the duration of the non-compliance. The punishment for data breaches on a company seems to get harsher as privacy laws evolve over time.

As a result, an individual in a company can expect their position in the company to be damaged if they are responsible for a breach, especially one that has resulted in large administrative fines – even if they do not receive a fine personally themselves. An individual is likely to face consequences within their organisation if the breach is significant, or even worse, is repeated, especially if they failed to take steps to adjust data processing to comply with data protection rules and avoid GDPR fines. 

Table of Contents

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

Eleanor Watts

Eleanor Watts is a skilled solicitor who specialises in handling data breach cases and leads the dedicated team at the Data Breach department. Her journey began at the University of Nottingham, where she earned her law degree, and later pursued her masters in law from the University of Law. Becoming a qualified solicitor in 2021 after completing her training, Eleanor's focus turned to data protection and privacy claims, a field she's excelled in since the implementation of GDPR in 2018.

We're ready to help you get the compensation you deserve

Alternatively, give one of our solicitors a call free on 0333 070 5800

Lines open 9am – 5pm Mon to Fri

Has your data been handled incorrectly?