Businesses in the UK need to consider two pieces of legislation with regards to data protection; the Data Protection Act 2018 (DPA), which enacted the EU’s General Data Protection Regulation (GDPR) into English Law and applies to UK residents’ personal data, and also the GDPR itself which, despite Brexit, continues to apply to EU residents or products and services offered into the EU. This means that a UK based data processor (an entity which processes personal data) in breach of data protection duties which affects people residing in the EU, or EU citizens residing in the UK, may still liable to prosecution from the EU authorities.
It’s important to note that not all GDPR breaches immediately lead to fines in the UK, as the Information Commissioner’s Office (ICO) can also issue warnings or restrict data processing rights. Whilst an individual may also be liable for fines from the ICO, this in practice will only occur if they are running a business as a sole trader, and any fine would be commensurate with the scale of the breach and harm caused. Examples of data breaches include the disclosure of personal information, payroll data and medical history records.
The ICO can, under Part 6 of the DPA, issue to a data processor two tiers of maximum fines for an infringement of Part 3 of the DPA: the higher maximum and the standard maximum. The ICO uses a nine step process to determine the proposed penalty, which includes considering the seriousness of the contravention, their determination about turnover, and the means of the organisation to pay.
The higher maximum is applicable for a serious breach of DPA. For example, if a data processor fails to comply with an Information Notice, an Assessment Notice or an Enforcement Notice issued by the ICO against them, the ICO has the power to impose substantial fines of up to £17.5 million, or 4% of their total worldwide annual turnover, whichever is higher.
The standard maximum will apply for a breach of other provisions of the DPA, which is £8.7 million, or 2% of the data processor’s total annual worldwide turnover, again whichever is higher.
In addition to ICO fines, a data processor may also face separate civil claims from individuals, who have been the victims of data breaches. Claimants may be successful if they can demonstrate they’ve suffered loss as a result of the breach. Such breaches have recently led to class-actions whereby groups of individuals collectively bring a claim, as occurred in the case of British Airways.
If you feel that your privacy rights have been breached, if someone has alleged that you have breached their rights, or if you are otherwise struggling to comply with your obligations, please contact Rachel Waller (with respect to general breaches) or Michael Kashis (with respect to reviewing commercial contracts to ensure compliance of Data Processor and Data Controller obligations under GDPR).
The above is accurate as at 13 August 2021. The information above may be subject to change during these ever-changing times.
The content of this note should not be considered legal advice and each matter should be considered on a case-by-case basis.