Data Protection Act Punishment

Principles, GDPR and Failure to Comply

The UK’s Data Protection Act 2018, which incorporates the European Union’s General Data Protection Regulation (GDPR) has been a major step forward for both the rights of individuals and obligations of organisations handling personal data. What is the Punishment for Breaking the Data Protection Act? Read on to find out.

Start trial icon

Training your employees on data protection?

We can help you get started - let's have a chat.

Book a Meeting

Updating the original DPA from twenty years prior, this modernised piece of legislation sought to elevate data protection standards, ensuring rights and enforcing obligations at a pivotal point in time when personal information has become a greatly sought-after commodity for both legitimate businesses and international criminal enterprises.

Like it’s preceding legislation, under both the DPA 2018 and GDPR, contravention can result in substantial fines being levied against offending organisations. Depending on the severity of the breach in question, fines may be applied in a tiered approach, with authorities considering the circumstances that led to a breach, response to an incident and the overall impact.

Given the publicity regarding these current substantial fines, organisations are justified in asking; what is the punishment for breaking the Data Protection Act and what exactly does the DPA mean for my business?

What is Data Protection?

The DPA fulfils the role of governing how your personal information is used by businesses and other organisations. Ensuring that personal data is used fairly and lawfully, is accurate and up to date, and is used only for explicitly stated purposes and is handled in an appropriately secure manner. Incorporating the European wide GDPR, the DPA ensures a greater level of protection for the digital and data rights of citizens.

Regarding the GDPR, all the requirements laid forth are incumbent upon not only EU based organisations, but also those which collect any information within any EU territories. For example, though Facebook is an American company, data collected on European citizens should be as carefully managed by Facebook as any German company.

Personal Data

For the purposes of the GDPR, personal data is defined as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Breaking the Data Protection Act – Case Study

Doorstep Dispensaree Ltd Fined £275,000

In late 2019, the Information Commissioner’s Office announced a fine levied against a London-based pharmacy. The penalty came as a result of the pharmacy’s failure to ensure the security of special category data, which was kept in unlocked containers at the back of its premises.

Around 500,000 documents containing medical information and other sensitive information were found unprotected not only from prying eyes but also from the elements, with many files discovered to be rain damaged.  This negligence resulted in the pharmacy being issued a £275,000 fine as well as being ordered to improve its data protection processes within three months or face further consequences.

High Quality Content icon

Try our GDPR Training for Free!

Start Now

In the Event of a Breach

As well as asking, what is the punishment for breaking the Data protection Act, it’s worth understand a little bit about what constitutes a breach. It’s vital to understand that a ‘data breach’ doesn’t just refer to a ‘stolen data’ incident, and legally encompasses a variety of incidents. Defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”

For example, the loss of a strongly encrypted USB drive containing personal data, may not necessarily qualify as a breach, whereas that same drive without any encryption, if lost, would qualify as an incident in violation of the DPA.

Should you and your organisation be unfortunate enough to fall victim to an information security attack and the personal information with which you work being affected, then under law there are specific responsibilities with which you must comply.

  • In the event of a personal data breach, an organisation is required to report said breach to the relevant supervisory authority within 72 hours of becoming known (where feasible).
  • It is also important to bear in mind that if the breach is likely to result in adverse effects upon the rights and freedoms of data subjects, then those individuals must be informed “without undue delay.”
  • You must also ensure you have “robust breach detection, investigation and internal reporting procedures in place.”

Failure to report such an incident may have a range of effects on individuals including discrimination, damage to reputation, financial loss, social or economic disadvantages.

Any incident must also be assessed on a case by case basis and organisations are required to give reasonable justification for their decision to either report (or not report) a breach to the supervisory authority, which in the UK is the Information Commissioner.

Organisations are also required to keep a record of any personal data breaches, regardless of whether you are required to or decide to notify authorities. 


The Information Commissioner has the power to issue fines for infringing on data protection law, including the failure to report a breach. The specific failure to notify can result in a fine of up to 10 million Euros or 2% of an organisation's global turnover, referred to as the ‘standard maximum’.

The most serious of data protection violations can result in a maximum fine of 20 million Euros (equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Organisations wishing to avoid these fines should also be aware that this ‘higher maximum’ amount can apply to failure to comply with “any of the data protection principles, any rights an individual may have or in relation to any transfers of data to third countries.” Security controls such as security awareness training and phishing simulation play a part in this as well.

Breaking the Data Protection Act – Case Study

Facebook/Cambridge Analytica Scandal

The data protection violation, which occurred in 2015, resulted in the maximum possible fine of £500,000. Becoming public in early 2018, if the improper protections Facebook implemented for user data had happened following the introduction of the GDPR, then the fine levied by the ICO could have been 4% of Facebook’s 2018 global revenue; around £1.7 billion.

Deputy Commissioner of the ICO, James Dipple-Johnstone noted regarding the fine, “Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals…we expect that Facebook will be able to move forward and learn from the events of this case”.

The Principles of the DPA

How Has DPA Changed?

Under the UK’s Data Protection Act 1998, eight data protection principles existed at the centre of the legislation. By 2018 these principles were developed and advanced further by the European Union’s GDPR and made a part of UK law within the DPA 2018.

With a great deal of cross-over between the DPA 1998 and 2018, many of the now seven principles of data protection are only slight augmentations of the previous laws. Below we can see how these existing seven principles of data protection have been incorporated and developed by the GDPR.

 1998 Act GDPR 
 Principle 1 – fair and lawful Principle (a) – lawfulness, fairness and transparency 
 Principle 2 – purposes Principle (b) – purpose limitation 
 Principle 3 – adequacy Principle (c) – data minimisation 
 Principle 4 – accuracy Principle (d) – accuracy 
 Principle 5 - retention Principle (e) – storage limitation 
 Principle 6 – rights No principle – separate provisions in Chapter III 
 Principle 7 – security Principle (f) – integrity and confidentiality 
 Principle 8 – international transfers No principle – separate provisions in Chapter V 
 (no equivalent) Accountability principle

What is the Punishment for Breaking the Data Protection Act? All organisations operating under either the DPA 2018 or the GDPR should familiarise themselves with information provided directly by the Information Commissioner’s Office regarding fines and penalties. With a great deal of information pertaining to the question of ‘what is the punishment for breaking the Data Protection Act?’ the ICO provides an invaluable resource.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Coronavirus Cyber Attacks

How Cyber Criminals are Exploiting the Coronavirus

How Cyber Criminals are Exploiting the Coronavirus - From Critical Infrastructure to Leaked Video Conferences. Blog by Hut Six Security

Insider Threat Breach at Morrisons

Morrisons Found Not Liable for Insider Threat Breach

UK supermarket Morrisons found not guilty for insider threat data breach. Blog by information security awareness training provider Hut Six Security

Phishing Text Message Examples

What is a Phishing Text Message?

What is a phishing text message? "smishing" is still a significant threat. Blog by Information Security training provider Hut Six Security.

Opportunist Cyber Criminals

Cyber Criminals Always There to Exploit a Crisis

It has been reported that a significant cyber attack has been launched against the World Health Organisation. Information Security blog by Hut Six Security.

6 SME Security Tips For SMEs

6 Business Critical Information Security Tips for SMEs

Information security tips to help safeguard any organisation. Blog by Information Security Awareness Training Provider Hut Six Security.

Anti-Phishing Training for Small Businesses

The Essential Anti-Phishing Training Guide for SMEs

What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.

Business Continuity Plan

What to Do if you Don’t Have a Business Continuity Plan

In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?

COVID-19 Phishing Attacks

Phishers Exploiting COVID-19 Coronavirus

Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.

Small Business Security Basics

SME Security is No Picnic

SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.

Data Protection Act for Businesses

How Does the Data Protection Act Affect Businesses?

How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.

Speak to us about your Cyber Awareness