UK GDPR: Can Individuals Be Personally Liable?

If your team handles personal data, you’re probably confident your business must comply with UK GDPR. But what about the people inside your business - can an individual be held responsible when something goes wrong?

It’s a fair question, especially for founders and managers who set the tone on data protection. The short answer: organisations carry most of the risk, but in some situations, individuals can face personal consequences under UK law.

In this guide, we’ll unpack what UK GDPR and the Data Protection Act 2018 expect from your business, when individuals (like directors, managers and employees) may be personally on the hook, and the practical steps you can take to reduce both organisational and personal risk from day one.

What Does UK GDPR Expect From Your Business?

Under the UK GDPR and the Data Protection Act 2018, the primary legal duties fall on “controllers” and “processors”. Most small businesses are controllers for the personal data they collect from customers, users and staff. If you use third parties to process data on your behalf (for example, your CRM or email marketing platform), they are your processors and you must have compliant contracts in place.

Key principles you must meet include lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In practice, that means you should:

• Be clear about how and why you use personal data, and publish a clear, accessible Privacy Policy.
• Limit data to what is necessary, keep it accurate, and delete it when you no longer need it (a documented approach to data retention really helps).
• Put in place appropriate technical and organisational security measures, including training, access controls and encryption where appropriate.
• Have written terms with processors - a UK GDPR-compliant Data Processing Agreement is essential.
• Be ready to respond promptly to a subject access request and other data rights requests.
• Handle marketing and cookies in line with PECR, including using compliant cookie banners and honest consent mechanisms.

As the controller, your business will usually be the entity investigated by the ICO, and the one that receives any enforcement notice or fine. But that doesn’t mean individuals are risk-free.

Can An Individual Be Held Responsible Under UK GDPR?

Broadly, yes - individuals can be held responsible in certain situations, although it’s less common than action against organisations. Here’s how liability can arise at an individual level:

1) Criminal Offences Under The Data Protection Act 2018

While UK GDPR sets out the core obligations, the Data Protection Act 2018 creates specific criminal offences. Individuals can be prosecuted (and potentially fined or, in serious cases, imprisoned) for acts such as:

• Knowingly or recklessly obtaining, disclosing or retaining personal data without the consent of the controller (for example, emailing yourself a client list before resigning).
• Procuring someone else to obtain or disclose personal data unlawfully.
• Re-identifying anonymised data unlawfully.
• Failing to comply with certain ICO notices, or destroying records after a request for information.

The ICO has prosecuted individuals for “data theft”, snooping and similar conduct. These cases often involve employees or contractors acting without authorisation.

2) Officers’ Liability For Corporate Offences

If a company commits a data protection offence, directors, managers and similar officers can sometimes be personally liable where the offence was committed with their consent or connivance, or was attributable to their neglect. In other words, if leadership knew about (or turned a blind eye to) non-compliance, they may find themselves in the frame alongside the business.

3) Civil Liability In Tort Or Equity

Affected individuals sometimes bring civil claims for misuse of private information, breach of confidence or negligence. While these claims usually target the employer, in some scenarios an individual wrongdoer may be named personally (for example, a staff member who deliberately leaks data). Whether that succeeds will depend on the facts, but it’s a real risk when conduct is intentional or malicious.

4) Disciplinary And Employment Consequences

Even where criminal or civil liability doesn’t arise, individuals may face disciplinary action or dismissal for breaching data protection policies. Employers must manage this fairly and lawfully, but you should expect regulators to ask how you addressed the human causes of any breach.

When Are Directors And Managers Personally Liable?

As a founder, director or senior manager, you shape your organisation’s compliance culture. UK law expects you to set up adequate systems, resource them properly and monitor them. Personal exposure increases where leadership fails to implement reasonable measures to prevent foreseeable breaches.

Risk increases where:

• There is no privacy governance framework, or it exists on paper but is not implemented in practice.
• Warning signs are ignored - for example, repeated internal reports of insecure processes or inappropriate access.
• Processor due diligence is bypassed, or you operate without required contracts like a Data Processing Agreement.
• Incident response is chaotic because there’s no tested plan - something a clear Data Breach Response Plan is designed to fix.
• Marketing activities proceed without PECR controls (e.g. telemarketing without screening or consent, or non-compliant cookie tools), despite internal concerns - if you use calls for sales, review the rules on GDPR and business calls.

Remember, the question is not perfection - it’s reasonableness. The law expects appropriate measures relative to the size, nature and sensitivity of your processing. Documenting your decisions (and why they are proportionate) will help evidence that you took your responsibilities seriously.

What About Employees, Contractors And DPOs?

Most staff won’t face personal fines from the ICO for honest mistakes. Still, individuals can be personally liable (and even prosecuted) for deliberate wrongdoing, and they can face disciplinary consequences for carelessness that leads to a breach.

Employees

Employees must follow your policies, training and instructions. If they intentionally access, disclose or retain personal data without permission, they may commit a criminal offence under the Data Protection Act 2018. Your business may also be vicariously liable for employees acting in the course of employment, so prevention and training are essential.

Contractors And Suppliers

Contractors should be bound by written terms that restrict how they handle data and allocate responsibility clearly. If a third-party processor mishandles data, your business remains accountable to the ICO as controller - another reason to have a robust Data Processing Agreement and to vet suppliers carefully.

Data Protection Officers (DPOs)

Where you voluntarily appoint a DPO (or are required to), they advise and monitor compliance, but they are not personally responsible for your compliance outcomes. Management retains responsibility for resourcing and implementing measures. Do not penalise a DPO for performing their role - independence is part of the model.

AI And New Tools

Teams increasingly use AI and cloud tools. Those choices can introduce risks like overseas transfers, training on personal data and unclear data retention. It’s smart to set a policy for AI use and ensure any tools pass a basic privacy assessment - our tips on ChatGPT and GDPR outline the kind of safeguards to consider before rolling out new tech.

Practical Steps To Reduce Personal And Business Risk

Good news - the same steps that protect your business also reduce the chances of individuals being dragged into investigations or claims. Focus on these foundations:

1) Governance And Accountability

• Assign clear privacy roles and responsibilities at senior level.
• Keep a record of processing activities and risk decisions.
• Build privacy into projects early (privacy by design) and carry out DPIAs for higher-risk processing.

2) Policies And Training

• Publish an up-to-date Privacy Policy for customers and a staff-facing privacy handbook.
• Train everyone who handles personal data - new starters and refreshers annually are a solid baseline.
• Include practical scenarios (sending spreadsheets, using messaging apps, exporting data) and make reporting near-misses easy.

3) Contracts And Supplier Management

• Use a UK GDPR-compliant Data Processing Agreement with all processors.
• Check data location, sub-processor chains, security certifications and deletion processes before onboarding a tool.
• Build exit and audit rights into supplier contracts.

4) Security Basics That Make A Big Difference

• Enable MFA, device encryption and least-privilege access.
• Use secure sharing instead of email attachments where possible.
• Apply retention schedules to automatically delete data you no longer need (linking that back to your documented data retention rules).

5) Incident Response And Customer Rights

• Adopt a rehearsed Data Breach Response Plan so you can assess within 72 hours whether a report to the ICO is required.
• Have a repeatable process for subject access requests, including identity checks and redaction steps.
• If you rely on calls for marketing or support, make sure scripts and systems align with the rules on GDPR and business calls.

6) Cookies And Marketing

• Implement PECR-compliant consent for non-essential cookies - your cookie banners should genuinely allow users to refuse.
• Keep consent logs and unsubscribe mechanisms working across all channels.

These measures make it easier to show you took “reasonable steps” - a key factor in reducing organisational penalties and protecting individuals who acted in good faith.

Handling Breaches, ICO Investigations And Claims

Even with strong controls, incidents happen. How you respond matters for both the business and the people involved.

When A Breach Occurs

• Act fast: contain, assess, document. Use your Data Breach Response Plan.
• Evaluate risk to individuals: if likely to result in a risk to rights and freedoms, you may need to notify the ICO within 72 hours and, in higher-risk cases, inform affected individuals.
• Avoid blame-first: focus on facts and systems. If human error contributed, look at process fixes and training as well as accountability.

ICO Investigations

• Be cooperative, consistent and evidence-led - show your risk assessments, training logs and decision records.
• If individual misconduct is suspected (e.g. deliberate data theft), consider internal disciplinary processes and, where appropriate, report criminal conduct.
• Document remedial steps so the ICO can see improvements in real time.

Civil Claims And Staff Implications

• Expect that claims will target the company first. However, where a person acted outside the scope of their role or maliciously, they may be named personally.
• Ensure your contracts, policies and insurance arrangements reflect how you handle staff mistakes versus misconduct.
• For contractors and suppliers, make sure your Data Processing Agreement and wider contract terms allocate risk and indemnities sensibly.

If this all feels like a lot, don’t stress - most small businesses can reach a strong compliance baseline with a handful of well-chosen documents, some practical training and clear accountability. Getting tailored advice early will save headaches later.

Key Takeaways

• Organisations carry most UK GDPR risk, but individuals can be held responsible in specific scenarios - especially for deliberate wrongdoing under the Data Protection Act 2018 or where officers consent to, connive in or negligently allow offences.
• Directors and managers reduce personal exposure by setting clear accountability, resourcing privacy properly and documenting reasonable risk decisions.
• Employees rarely face personal fines for honest mistakes, but intentional misuse of data can be a criminal offence. Strong policies, training and culture are your best defence.
• Lock in the basics: an up-to-date Privacy Policy, a robust Data Processing Agreement with suppliers, a tested Data Breach Response Plan, sensible data retention, and compliant cookie banners.
• Prepare for requests and incidents: have processes for subject access requests and breach assessment so you can meet deadlines confidently.
• A practical, proportionate approach is what the law expects - and it’s achievable for small teams with the right systems and support.

If you’d like help putting these protections in place or assessing your exposure, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.