Dutton Gregory Banner Image
News and Events

Data Protection: Penalties and how to avoid them

  • Posted
Data Protection: Penalties and how to avoid them

When the General Data Protection Regulation (GDPR) was implemented in 2018, data protection became a huge topic and the law continues to evolve. In this article Laurie Heizler warns businesses of the risks they taking if they fail to comply.

Any British business that thought the duty to comply with GDPR was killed off with Britain’s exit from the European Union was very much mistaken. The Data Protection Act 2018 implemented the “UK GDPR” which continues the GDPR as UK law with all of its essential features remaining unchanged.

Policies & Procedures

It is crucial that businesses have privacy policies and procedures if they process data relating to, for example, personal customers.  A privacy policy should not be a standard off-the-shelf document, but describe exactly the basis on which personal data is collected, retained and processed. There is an active obligation on all data “controllers” to ensure that any new data processing is in line with data protection principles and performed in accordance with the law.


Serious breaches of the GDPR may be investigated by the Information Commissioner’s Office (ICO) which may issue enforcement notices to ensure the necessary steps are taken to achieve compliance. Even if the breach is corrected, the immediate sanction might be reputational damage with customers and suppliers.


In the most serious cases the ICO may impose “administrative penalties” (fines) which may be any amount up to 4% of the entity’s annual worldwide turnover or £17.5 million (whichever the greater).

In 2021, British Airways was fined £20 million after hackers were able to obtain consumer login and payment details; and Marriott was fined £18.4 million after it acquired a business with its own security-compromised hotel reservations system resulting in data breaches affecting multiple customers.

Naturally, penalties of this order would be catastrophic for any small or medium-sized business, but it is highly unlikely in practice that entities that do not process on a large scale data would ever face disproportionate fines.

Can I be sued?


In theory, Section 168 of the 2018 Act provides for compensation for material damage as well as distress suffered by people as a result of personal data breaches, but in practice it has been very difficult for claimants to obtain significant payments. Often the costs of bringing a legal action are out of proportion to the size of any damages award.

What can I do?

There is always a risk that a company may be obliged to pay both fines and civil compensation, depending on the volume of personal data processed, the degree to which it is sensitive, and whether any breach could materially damage the data subjects in question (for example, accidental disclosure of health information or banking details). There is the possibility of “class actions” where a number of claimants suffering the same damage can bring legal actions more cost-effectively.

However, in each case, the risks must be mitigated. We suggest businesses perform a thorough review of all personal data they collect and how it is dealt with.

Ask yourself: “Do I have the legal entitlement to process this data?” You will need to understand what the different grounds in the legislation that allow you to process data and how they are interpreted and applied.  Impact assessments should in common with privacy policies be reflective of what you actually do with personal data.

Above all, take all reasonably necessary steps to ensure that the computer systems you use are adequate to ensure that the personal data you handle is kept secure.

If you have any data protection issues or simply want to know more, we have the expertise to help you. Please contact Laurie Heizler (l.heizler@duttongregory.co.uk) on 01962 624423.