The Devil is in the…Data Protection Breach

We’ve been talking A LOT about data protection on our socials this week. Since it’s almost Halloween, let’s scare you a little…

For the most serious of data protection breaches, you could face a maximum fine of £17.5 million or 4% of your annual global turnover, whichever is greater. Are you scared yet?!

This level of breach is typically reserved for the worst offenders but is definitely something for you to keep in mind. That being said, not every breach warrants a fine – the Information Commissioner’s Office (ICO, the UK’s independent authority on data protection) can issue you with a slap on the wrist, temporarily ban you from processing personal data or order you to delete personal data completely. This depends on how bad you’ve been.

What’s scary though is that breaches (and penalties issued) are published on the ICO website, which could damage the reputation you’ve worked so hard to earn.

What can you do to avoid committing a breach?

Understand what personal data is

In a nutshell, personal data is any data which a person can be identified from, whether directly (such as their full name accompanied with their date of birth or contact details) or indirectly (such as their first name and the company that they work for).

A personal data breach is where personal data is accidentally or unlawfully destroyed, lost, altered, or disclosed to an unauthorised person. For instance, this could be sending personal data by email to the wrong person, a hacking of your computer systems or losing a USB stick with customer personal data saved onto it. You need to keep personal data safe at all times!

Internal processes

You should implement the following into your business processes:

  • Nominate a person in your business responsible for data protection.
  • Think carefully about who needs access to customer personal data and restrict access to those who don’t.
  • Be sure to encrypt and password protect personal data.
  • Train your staff on their data protection obligations.
  • Produce a company data protection policy.
  • Keep a log of data breaches, whether you need to report this to the ICO or not.

Reporting Breaches

As soon as you become aware of a data breach, you need to report this to the ICO without delay and certainly no more than 72 hours afterwards. That being said, only those breaches which pose a risk to people’s rights and freedoms need be reported. For instance, if your customer database, which holds names and contact detail, is accessed by an unauthorised third party, such as a hacker, this data may be used to commit identify fraud and as such it likely to impact their rights and freedoms. You should report this!

Where breaches are reportable, you will also need to inform the affected customers as soon as possible to explain to them the nature of the breach and what steps have been taken to mitigate the risks posed to them.


If you send out email marketing to your customers, they must have provided you consent to contact them in this way. That consent can be withdrawn at any time, and you need to comply with their request so as not to fall foul of the ICO. Many of the published breaches on the ICO’s website relate to marketing emails. A recent example is a fine of £200k issued to We Buy Any Car for sending 191.4 million marketing emails and 3.6 million marketing texts without full consent over a 12 month period. The moral of the story: consent is key!


If you need help with data protection – hop onto one of our free legal advice calls here.

Scroll to Top