What happens if an employer fails to comply with the UK GDPR?

An employer that fails to comply with the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR) could be subject to enforcement action by the Information Commissioner's Office (ICO). The ICO has the power to issue sanctions for a breach of the UK GDPR, including warnings, compliance orders, bans on processing, and fines.

An employer in breach of the UK GDPR may be subject to an administrative fine of up to £17.5 million or 4% of the undertaking's worldwide annual turnover, whichever is higher. The ICO will consider a number of factors when determining the level of fine, including the nature, gravity and duration of the breach; the level of damage suffered by individuals; and any action taken by the organisation to mitigate the damage suffered by individuals.

Additionally, organisations that breach the UK GDPR may be subject to private claims for compensation by individuals or consumer protection bodies on behalf of individuals.