Search

How can we help?

Icon

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

We have witnessed a number of large breaches of personal data over the past couple of days, from the hacking of the Electoral Commission involving UK voters’ personal data being exposed, to thousands of Police Service of Northern Ireland officers and civilian staff also having their personal data compromised.

Another fairly recent data breach was that of Capita, the outsourcing giant used by many public and private organisations and handling the personal data of millions of people. Capita suffered a cyber-attack in May this year, which resulted in a number of pension funds being hit. Personal data was accessed and possibly copied by the hackers. Hundreds of thousands of people may be affected. It later emerged that Capita had left a repository of files unsecured online.

What is a personal data breach?

A personal data breach under the UK GDPR is defined as “a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Individuals are entitled to go to court to enforce their rights under data protection law if they believe these have been breached, and/or to claim compensation for any damage caused, including any distress that may have been suffered. Capita is now facing a class action lawsuit, estimated to be around £20 million.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

A report on organisations’ cost of data breaches shows a 15% rise on the past three years.

What are the repercussions for organisations dealing with data breaches?

Organisations breaching data protection law are not only liable from the data subjects’ side, but also from the relevant data privacy watchdog. In the UK, this is the Information Commissioner’s Office (ICO). Infringements of data protection law carry hefty fines. The UK GDPR and the Data Protection Act 2018 set a maximum fine of the greater of £17.5 million, or 4% of an organisation’s annual global turnover.

In May this year, the ICO issued a £12,700,000 fine to TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully. The ICO also issued a fine with a combined total of £180,000 to two companies which made unlawful marketing calls to businesses signed up with the UK’s “Do not call” register. This demonstrates that the ICO takes data breaches seriously and holds organisations accountable for their actions.

Other notable fines in this area include Google’s sizeable GDPR fine of €50m (£43.2m) issued after a French regulator found that Google had failed to make its consumer data processing statements easily accessible to users, and H&M’s €35.3m (£32.1m) fine after German regulators found that H&M was secretly monitoring its employees.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years. This may not come as a surprise as the pandemic has accelerated the use of digital technologies. The increase in hybrid working has also faced organisations with limitations on data security at employees’ homes. Although the increased use of technology by organisations is a positive, clearly, it is not without risks.

What to do in the event of a data breach

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, there is a duty to notify the ICO of the breach within 72 hours of the organisation becoming aware of it. Employees should also ensure that they comply with their employers’ reporting procedures and policies on data breaches. For more information on an organisation’s obligation to report data breaches, listen to our podcast on data breaches here.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights

Pub
  • 26 March 2024
  • Privacy and Data Protection

AI Podcast: AI and Data Security

In the third and final podcast in our ‘AI Podcast’ trilogy, members of the data protection team, will be discussing how to use AI to process data safely. They will be looking closely at the risks for businesses and the types of data security protections you can put in place.

art
  • 26 March 2024
  • Privacy and Data Protection

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries.

art
  • 18 March 2024
  • Privacy and Data Protection

Consent or pay: Issues and considerations, Meta’s potential breach

The ICO has stated that any organisation considering using “consent or pay” must ensure that the consent to processing of personal data for personalised advertising is being given freely, and is fully informed.

art
  • 13 March 2024
  • Privacy and Data Protection

21 March 2024 Deadline: Are your international data transfer agreements compliant?

If your organisation transfers personal data from the UK to another country, it needs to comply with statutory requirements to ensure adequate levels of protection for that data are in place.

art
  • 06 March 2024
  • Privacy and Data Protection

Personal Data Breaches – How do I deal with them?

This article will provide an overview of the steps to take when experiencing a personal data breach.

Pub
  • 05 March 2024
  • Privacy and Data Protection

How do I protect my business in the event of a personal data breach?

Don’t let your business fall victim to personal data breaches. Join Louise Keenan and Rebecca Dowle, for a quick overview of how to protect your business.