What happens if an employer fails to comply with the General Data Protection Regulation when it comes into effect?

The General Data Protection Regulation (2016/679 EU) (GDPR) will come into effect on 25 May 2018 and will apply directly in all EU member states. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.

If an employer breaches its obligations under the GDPR, it may be subject to an administrative fine of up to €20 million or 4% of the undertaking's worldwide annual turnover, whichever is higher. Regulatory bodies will consider a number of factors when determining the level of fine, including the nature, gravity and duration of the breach; the level of damage suffered by individuals; and any action taken by the organisation to mitigate the damage suffered by individuals.

Regulatory agencies will also have the ability to impose a wide range of sanctions, including specific compliance orders and a ban on processing personal data.

Additionally, organisations that breach the GDPR may be subject to private claims for compensation by individuals or consumer protection bodies on behalf of individuals.