bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

Personal Data Breaches and Enforcement under the #GDPR

08 February 2016

One of the headline grabbing features of the new data protection regime that is likely to be in place by mid-2018 are the maximum fines that the ICO will be able to impose. ‘Administrative fines’ of up to €20,000,000 or 4% of global turnover will be available for certain infringements, with less serious infringements attracting fines of up €10,000,000 or 2% of global turnover.

This is a significant increase in the UK where the maximum monetary penalty that the ICO can currently impose is £500,000. Maximum fines differ throughout Europe but come 2018 the maximum fine level will be unified and the consistency of fines will be monitored. These fined can be imposed on data controllers and data processors.

The UK Government will decide how the fines will be imposed and what procedural safeguards should be in place so that there is effective judicial protection and due process. There is also an option for the UK Government to decide on the creation of criminal sanctions under the GDPR. Member States can also choose whether fines can be imposed on public sector bodies.

With the introduction of such significant fines, it will be interesting to see how the UK ensures that they are subject to adequate procedural safeguards? At the moment the ICO acts as the investigator, the jury and the sentencer. There is judicial oversight on appeal exercised by the Information Rights Tribunal, but organisations are discouraged from appealing against the level of fine imposed as they stand to lose the discount of 20% which the ICO currently offers on payment of the fine within 28 days. The discount is contingent on there being no appeal. When considering the costs incurred to take an appeal, along with the potential for more negative publicity during the appeal process, it is little wonder that there have only been three appeals against fines imposed under the DPA since their introduction in 2010.

An added complication is that organisations will be obliged to report certain personal data breaches to the ICO if they are likely to cause a significant risk to the rights and freedoms of the data subjects within 72 hours or without undue delay. Failing to report a breach to the ICO, or failing to report without undue delay, could attract a fine of up to €20,000,000.

So in the case of Talk Talk, if the GDPR had been in force when they suffered their cyber-attack in October 2015 and if the ICO was to find that they infringed the new data protection principles set out in the Regulation (Articles 5(1eb) and 30 spring to mind) then the ICO could impose a fine under the GDPR of up to 4% of Talk Talk’s global turnover, which based on recent accounts would be up to £35 million.

The Regulation also enshrines the right of data subjects to be awarded compensation if they suffer as a result of data controllers and/or data processors infringing the Regulation. It is yet to be seen if the customers of Talk Talk will raise equivalent actions under the DPA but in 2015 we saw a class action being raised against Morrisons Supermarket and 2,000 employees are claiming compensation because their personal and financial information was posted on a website by a disgruntled Morrisons employee. The threshold for claiming compensation under the DPA is currently whether the data subject has suffered damage or distress and that threshold will remain under the GDPR, referred to as material or immaterial damage.

The consequences of a breach both financial and reputational are increasing. People, customers and clients, are more aware of who is looking after their personal data and are therefore are more likely to interact with an organisation who can demonstrate that it will look after their data properly. Now is the time to ensure that your business complies with the DPA and that business practices are future-proofed to ensure compliance with the GDPR which will be with us in two short years.

For a more detailed analysis please CLICK HERE.

BTO’s Data Protection Defence Team can assist you to ensure compliance and to future-proof that compliance under the GDPR. We will keep you up to date with the significant changes that the GDPR is going to provide via our bespoke GDPR webpage to be found here.

See more about what BTO’s Data Protection Defence Team we can do for you here.

Disclaimer: the information provided in this webpage is not legal advice in relation to how to comply with the Data Protection Act 1998 or the General Data Protection Regulation.


“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949