This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

United Kingdom

Select your regional store:


Data Protection Penalties

Take part in our EU data protection survey

As the finalisation of the EU General Data Protection Regulation (GDPR) approaches, we would like to find out how businesses are preparing for the anticipated changes. We have therefore compiled a short survey to find out what you think. All respondents will receive a copy of the resulting Data Protection Report.

Take the survey now.


Download the 2014 Data Protection Compliance Research Report

  • 66 enforcement notices issued by the ICO for DPA infringements between January 2013 and October 2014.
  • £2.17M in monetary penalties issued during this period.
  • Loss of business, brand damage and fines up to £500K can result from a breach of the Data Protection Act 1998 (DPA).
  • And there's more to come - fines of up to 5% of global turnover are being proposed in the new EU GDPR.


DPA penalties and the ICO

Today, the Information Commissioner's Office (ICO) has several options when it finds an organisation in breach of the DPA:

  • Monetary penalty notices: fines of up to £500,000 for serious breaches of the DPA.
  • Prosecutions: including possible prison sentences for deliberately breaching the DPA.
  • Undertakings: organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
  • Enforcement notices: organisations in breach of legislation are required to take specific steps in order to comply with the law.
  • Audit: the ICO has the authority to audit government departments without consent.

Monetary penalty notices

In April 2010, the ICO was granted the power to issue fines of up to £500,000 for serious DPA breaches. As the ICO clamps down on more and more organisations, the number and value of fines issued for DPA-related penalties has rocketed:

  • 2010: two fines totalling £160,000
  • 2011: seven fines totalling £541,100
  • 2012: 17 fines totalling £2,143,000
  • 2013 (to August): nine fines totalling £1,120,000
  • 2013 total: £1,520,000
  • 2014 until September: £815,000

You can read all about the latest fines on the ICO's website.

How ISO27001 can help you comply with data protection law

ISO27001 encapsulates the information security elements of the majority of global privacy regulations, including the Data Privacy Act, by providing a comprehensive framework for developing and implementing an auditable Information Security Management System. Find out how to get started with ISO27001 here.

Breaching the DPA

In July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150 000 after a hacker stole more than 1.1 million customers' personal details – including credit and debit card numbers – due to poor data security measures on its website.

Complying with the DPA is not just about confidentiality, it is also about the integrity and availability of that information.

Learn more about the DPA's requirements here.

So what can constitute a breach of the DPA? Here are some examples, as reported by the ICO:

  • Sending spam texts
  • Sending information to the wrong recipient
  • Confusing customer records
  • Failure to encrypt sensitive information
  • Loss of paper records
  • Not disposing of records correctly

Solutions to DPA compliance

As compliance specialists, IT Governance has been helping organisations achieve and maintain DPA compliance for over ten years. We recommend that organisations follow this standard approach to achieving DPA compliance:

  • Understand what the DPA is how it affects your business
  • Identify your current level of conformance to the DPA
  • Identify gaps and take steps to achieve compliance
  • Review the efficacy of your information security management system (ISMS) against an internationally accepted standard such as ISO27001
  • Document your DPA and information security policies
  • Understand how to react if you suffer a data breach
  • Initiate DPA staff awareness training
  • Undertake information security staff awareness training

DPA resources

We have developed and sourced many products to help organisations meet the requirements of the DPA, whatever stage they may have reached in their compliance project:

The Data Protection Act Foundation Course is a logical place for any organisation to start. This one-day course provides an overview of the DPA, after which delegates will understand what is required for their organisation to become compliant.

The DPA Compliance Toolkit contains all the document templates and tools that are essential for achieving compliance. The toolkit also includes guidance on how to complete these templates and what to do to ensure on-going compliance.

The DPA Compliance with BS 10012 Toolkit provides templates and model documents for those implementing a personal information management system (PIMS) according to British Standard BS10012.

We also provide a comprehensive DPA bookstore. These titles have been deemed most useful by our customers:

Call us on +44 (0) 845 070 1750 to discuss your DPA requirements.

live chat support software