Search

How can we help?

Icon

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

We have witnessed a number of large breaches of personal data over the past couple of days, from the hacking of the Electoral Commission involving UK voters’ personal data being exposed, to thousands of Police Service of Northern Ireland officers and civilian staff also having their personal data compromised.

Another fairly recent data breach was that of Capita, the outsourcing giant used by many public and private organisations and handling the personal data of millions of people. Capita suffered a cyber-attack in May this year, which resulted in a number of pension funds being hit. Personal data was accessed and possibly copied by the hackers. Hundreds of thousands of people may be affected. It later emerged that Capita had left a repository of files unsecured online.

What is a personal data breach?

A personal data breach under the UK GDPR is defined as “a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Individuals are entitled to go to court to enforce their rights under data protection law if they believe these have been breached, and/or to claim compensation for any damage caused, including any distress that may have been suffered. Capita is now facing a class action lawsuit, estimated to be around £20 million.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years.

What are the repercussions for organisations dealing with data breaches?

Organisations breaching data protection law are not only liable from the data subjects’ side, but also from the relevant data privacy watchdog. In the UK, this is the Information Commissioner’s Office (ICO). Infringements of data protection law carry hefty fines. The UK GDPR and the Data Protection Act 2018 set a maximum fine of the greater of £17.5 million, or 4% of an organisation’s annual global turnover.

In May this year, the ICO issued a £12,700,000 fine to TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully. The ICO also issued a fine with a combined total of £180,000 to two companies which made unlawful marketing calls to businesses signed up with the UK’s “Do not call” register. This demonstrates that the ICO takes data breaches seriously and holds organisations accountable for their actions.

Other notable fines in this area include Google’s sizeable GDPR fine of €50m (£43.2m) issued after a French regulator found that Google had failed to make its consumer data processing statements easily accessible to users, and H&M’s €35.3m (£32.1m) fine after German regulators found that H&M was secretly monitoring its employees.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years. This may not come as a surprise as the pandemic has accelerated the use of digital technologies. The increase in hybrid working has also faced organisations with limitations on data security at employees’ homes. Although the increased use of technology by organisations is a positive, clearly, it is not without risks.

What to do in the event of a data breach

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, there is a duty to notify the ICO of the breach within 72 hours of the organisation becoming aware of it. Employees should also ensure that they comply with their employers’ reporting procedures and policies on data breaches. For more information on an organisation’s obligation to report data breaches, listen to our podcast on data breaches.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.

art
  • 04 June 2025
  • Privacy and Data Protection

Decrypting the ICO’s Draft Updated Guidance On Encryption

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur.

art
  • 27 May 2025
  • Privacy and Data Protection

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.