This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

Data Protection Penalties

All UK organisations must comply with the Data Protection Act (DPA). If your organisation is found to be in breach of the DPA, not only will you incur possible loss of business and brand damage, but you could be subject to a penalty from The UK Information Commissioner's Office (ICO), including fines up to £500,000. On this page we will explain about different data protection penalties and how they can be prevented.

Call us on +44 (0) 845 070 1750 to discuss your DPA requirements.

On this page:

DPA penalties and the ICO

The ICO has several options when it finds an organisation in breach of the Data Protection Act:

  • Monetary penalty notices: fines of up to £500,000 for serious breaches of the DPA.
  • Prosecutions and possible prison sentences for deliberately breaching the DPA.
  • Undertakings: organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
  • Enforcement notices: organisations in breach of legislation are required to take specific steps in order to comply with the law.
  • Audit: the ICO has the authority to audit government departments without consent.

Monetary penalty notices

In April 2010, the ICO was granted the power to issue fines of up to £500,000 for serious DPA breaches. As the ICO clamps down on more and more organisations, the number and value of fines issued for DPA-related penalties has rocketed:

  • 2010: two fines totalling £160,000
  • 2011: seven fines totalling £541,100
  • 2012: 17 fines totalling £2,143,000
  • 2013 (to August): nine fines totalling £1,120,000
  • 2013 total: £1,520,000
  • 2014 until September: £815,000

You can read all about the latest fines on the ICO's website.

How ISO27001 can help you comply with data protection law

ISO27001 encapsulates the information security elements of the majority of global privacy regulations, including the Data Privacy Act, by providing a comprehensive framework for developing and implementing an auditable Information Security Management System. Find out how to get started with ISO27001 here.

Breaching the DPA

In July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150 000 after a hacker stole more than 1.1 million customers' personal details – including credit and debit card numbers – due to poor data security measures on its website.

Complying with the DPA is not just about confidentiality, it is also about the integrity and availability of that information.

Learn more about the DPA's requirements here.

So what can constitute a breach of the DPA? Here are some examples, as reported by the ICO:

  • Sending spam texts
  • Sending information to the wrong recipient
  • Confusing customer records
  • Failure to encrypt sensitive information
  • Loss of paper records
  • Not disposing of records correctly

Solutions to DPA compliance

As compliance specialists, IT Governance has been helping organisations achieve and maintain DPA compliance for over ten years. We recommend that organisations follow this standard approach to achieving DPA compliance:

  • Understand what the DPA is how it affects your business
  • Identify your current level of conformance to the DPA
  • Identify gaps and take steps to achieve compliance
  • Review the efficacy of your information security management system (ISMS) against an internationally accepted standard such as ISO27001
  • Document your DPA and information security policies
  • Understand how to react if you suffer a data breach
  • Initiate DPA staff awareness training
  • Undertake information security staff awareness training

DPA resources

We have developed and sourced many products to help organisations meet the requirements of the DPA, whatever stage they may have reached in their compliance project:

The Data Protection Act Foundation Course is a logical place for any organisation to start. This one-day course provides an overview of the DPA, after which delegates will understand what is required for their organisation to become compliant.

The DPA Compliance Toolkit contains all the document templates and tools that are essential for achieving compliance. The toolkit also includes guidance on how to complete these templates and what to do to ensure on-going compliance.

The DPA Compliance with BS 10012 Toolkit provides templates and model documents for those implementing a personal information management system (PIMS) according to British Standard BS10012.

We also provide a comprehensive DPA bookstore. These titles have been deemed most useful by our customers:

Call us on +44 (0) 845 070 1750 to discuss your DPA requirements.


Buy DPA toolkits

Data Protection Act Compliance Toolkit

Buy now

+44 (0) 845 070 1750
live chat support software