Search

How can we help?

Icon

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

We have witnessed a number of large breaches of personal data over the past couple of days, from the hacking of the Electoral Commission involving UK voters’ personal data being exposed, to thousands of Police Service of Northern Ireland officers and civilian staff also having their personal data compromised.

Another fairly recent data breach was that of Capita, the outsourcing giant used by many public and private organisations and handling the personal data of millions of people. Capita suffered a cyber-attack in May this year, which resulted in a number of pension funds being hit. Personal data was accessed and possibly copied by the hackers. Hundreds of thousands of people may be affected. It later emerged that Capita had left a repository of files unsecured online.

What is a personal data breach?

A personal data breach under the UK GDPR is defined as “a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Individuals are entitled to go to court to enforce their rights under data protection law if they believe these have been breached, and/or to claim compensation for any damage caused, including any distress that may have been suffered. Capita is now facing a class action lawsuit, estimated to be around £20 million.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years.

What are the repercussions for organisations dealing with data breaches?

Organisations breaching data protection law are not only liable from the data subjects’ side, but also from the relevant data privacy watchdog. In the UK, this is the Information Commissioner’s Office (ICO). Infringements of data protection law carry hefty fines. The UK GDPR and the Data Protection Act 2018 set a maximum fine of the greater of £17.5 million, or 4% of an organisation’s annual global turnover.

In May this year, the ICO issued a £12,700,000 fine to TikTok for a number of breaches of data protection law, including failing to use children’s personal data lawfully. The ICO also issued a fine with a combined total of £180,000 to two companies which made unlawful marketing calls to businesses signed up with the UK’s “Do not call” register. This demonstrates that the ICO takes data breaches seriously and holds organisations accountable for their actions.

Other notable fines in this area include Google’s sizeable GDPR fine of €50m (£43.2m) issued after a French regulator found that Google had failed to make its consumer data processing statements easily accessible to users, and H&M’s €35.3m (£32.1m) fine after German regulators found that H&M was secretly monitoring its employees.

A report on organisations’ cost of data breaches shows a 15% rise on the past three years. This may not come as a surprise as the pandemic has accelerated the use of digital technologies. The increase in hybrid working has also faced organisations with limitations on data security at employees’ homes. Although the increased use of technology by organisations is a positive, clearly, it is not without risks.

What to do in the event of a data breach

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, there is a duty to notify the ICO of the breach within 72 hours of the organisation becoming aware of it. Employees should also ensure that they comply with their employers’ reporting procedures and policies on data breaches. For more information on an organisation’s obligation to report data breaches, listen to our podcast on data breaches.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 02 December 2024
  • Litigation and dispute resolution

The Era of AI

In this recent case, the First-Tier Tribunal gave a stark warning to litigants about use of AI in litigation.

Pub
  • 26 November 2024
  • Privacy and Data Protection

Key FAQs on Data Subject Access Requests (DSARs)

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team, have narrowed down the top frequently asked questions we receive regarding DSARs.

art
  • 18 November 2024
  • Privacy and Data Protection

FAQs – Privacy Documentation

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

art
  • 04 November 2024
  • Privacy and Data Protection

FAQs – Data Subject Access Requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject.

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.