The protection of data in the UK is regulated under the Data Protection Act 2018, which is the implementation of the General Data Protection Regulation (GDPR) in UK law. 

This legislation controls the collection, processing and use of personal data and places strict obligations on how data is used by organisations. For example, data must be used fairly, lawfully and transparently, for specified purposes, and only with the user’s consent. It must be handled securely and kept for no longer than required for its intended purpose.

The GDPR introduces a duty on all organisations to report personal data breaches to the relevant supervisory authority within 72 hours.

Failure to notify the Information Commissioner’s Office (ICO) of a breach when required to do so can result in a significant fine of up to £8.7 million or 2% of a company’s global turnover. 

It is therefore essential that an organisation has a robust breach-reporting process in place to detect and notify breaches on time, and mitigate any wide-ranging consequences. This is particularly crucial if there is a risk to the rights and freedoms of data subjects.

Certain breaches of the GDPR, including Section 170, can also lead to criminal prosecution of employees who access personal data unlawfully or their employers who control the data. Under Section 170 GDPR, it is a criminal offence to knowingly or recklessly obtain, disclose or use personal data without the consent of the data controller. This includes selling the data.

An employer would also be liable if the organisation has failed to implement adequate security measures as required under the DPA/GDPR.

The Information Commissioner’s Officer (ICO) is the UK’s independent authority set up to uphold information rights and ensure organisations meet their information rights obligations. 

The ICO can take enforcement action against organisations in breach of GDPR, and issue financial penalties, enforcement notices and prosecutions. It also has additional powers to work alongside agencies in relation to confiscation proceedings under the Proceeds of Crime Act (POCA). Fines can total up to EUR 20 million or 4% of the total worldwide annual turnover of a business, whichever is higher.

It is therefore essential to seek legal advice as soon as possible in relation to reporting a data protection breach or responding to a notice from the ICO. 

Our experienced Regulatory Lawyers at Nicholls & Nicholls can provide advice and assistance on GDPR compliance, and engage with the ICO on your behalf.