Both, but assuming the breach was inadvertent and no individual suffered loss as a result of the breach, the employer isn't going to have to pay anything to anyone as a result. The Information Commissioner can take action but I think it would be unlikely to in this kind of situation, beyond perhaps sending a reminder email to the relevant data controller to be more careful in future.