What happens if an employer fails to comply with the General Data Protection Regulation?
The General Data Protection Regulation (2016/679 EU) (GDPR) is in effect from 25 May 2018 and applies directly in all EU member states, including the UK.
If an employer breaches its obligations under the GDPR, it may be subject to an administrative fine of up to €20 million or 4% of the undertaking's worldwide annual turnover, whichever is higher. Regulatory bodies will consider a number of factors when determining the level of fine, including the nature, gravity and duration of the breach; the level of damage suffered by individuals; and any action taken by the organisation to mitigate the damage suffered by individuals.
Regulatory agencies will also have the ability to impose a wide range of sanctions, including specific compliance orders and a ban on processing personal data.
Additionally, organisations that breach the GDPR may be subject to private claims for compensation by individuals or consumer protection bodies on behalf of individuals.