Penalties for breach of data protection law

Responsibility for enforcing the UK GDPR and DPA 18 lies with the ICO. You can make a complaint online through its website (ico.org.uk), where you can also find details of action it has taken in previous cases.

The ICO has various powers to take action for a breach of the UK GDPR or DPA 2018. This can include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines).

Penalties for organisations are potentially very high. For serious breaches of the data protection principles, the ICO has the power to issue fines of up to £17.5 million or 4% of the organisation’s annual worldwide turnover, whichever is higher. However, these are uncommon. The ICO’s approach is to focus on cases involving “reckless or deliberate harms” and says it is unlikely to take enforcement action against an organisation that is genuinely seeking to comply with the legislation or where a member of staff has made a genuine mistake.

The ICO cannot award compensation. If it finds that an employer has breached data protection law, an affected individual may be able to claim damages for financial loss and/or compensation for distress in the civil courts.

A breach of an ICO Code does not make a dismissal unfair (see City and County of Swansea v Gayle [2013] UKEAT 0336/12, page 22).