Data Protection Act Enforcers

Principles, Protections and Penalties

Who Enforces the Data Protection Act? If you are operating a business within the UK, chances are the Data Protection Act directly affects many of your responsibilities and practices regarding the personal data you process. After several years in development the General Data Protection Regulation (GDPR) was introduced across Europe in 2016 and became enforceable in May of 2018.

Incorporated into UK law in the form of the Data Protection Act (DPA) 2018, the regulation not only placed new responsibilities upon organisations that handle personal data, but also sought to strengthen the rights of citizens in relations to their data and address several decades of technological advancement.

Data Protect Act 2018

Replacing the Data Protection Act of 1998, the DPA 2018 built upon and forwarded many of the existing principles. Governing how organisations work with personal data, both the GDPR and the DPA centre around seven key principles.

The Seven Principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Who Enforces the Data Protection Act?

Though the GDPR is a European-wide piece of regulation, the application of the law is at the national level with each country establishing their own enforcement authority. In the UK the authority responsible for enforcement is the long-standing Information Commissioner, of the Information Commissioner’s Office (ICO).

As the independent official, the ICO’s mission includes upholding information rights, promoting openness by public bodies, as well as forwarding the data privacy of individuals. In this capacity, the Information Commissioner also has the power to levy large fines upon offending and non-compliant organisations.

Under the DPA, the ICO has the power to hand out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year, whichever is greater. This comes as a sharp departure from the previous maximum (under the DPA 1998) of the relatively meagre £500,000.

History of the ICO

The Information Commissioner’s Office was originally founded in 1984 and since then, its role has grown considerably. With the introduction of the GDPR and the surrounding ‘excitement’, the independent authority has also expanded in prominence.

“[2018] has seen the biggest upgrade in UK data protection laws for a generation”

Information Commissioner’s Office

Having developed from a relatively small organisation, headed by a Data Protection Registrar, the organisation now handles tens of thousands of data protection complaints, thousands of freedom of information complaints and hundreds of thousands of calls to their helplines every year.

Since the mid-eighties, a great deal has changed in terms of the way organisations collect, handling and utilise personal data. The introduction of now ubiquitous personal electronics, not to mention a few high-profile cases of data mishandling, has seen the public’s expectations regarding data rights very much enter the zeitgeist.

Since 2016 the ICO has been led by Elizabeth Denham CBE who has overseen a plethora of important cases and investigations into the mishandling of personal data.

Enforcing with Fines

Including within the new seven principles of data protection is the ‘accountability’ principle. This guiding element of modern data protection law places the responsibility to protect personal data squarely upon organisations.

Not only do organisations have a responsibility and obligation to take the necessary precautions to protect data, they are also required to document and make their compliance demonstrable to authorities.

As well as this, organisations are also required to report any data breach to the ICO within 72 hours of becoming aware of the incident. Should any breached data likely result in a ‘high risk of adversely affecting individuals’ rights and freedoms’ then these parties must also be informed of the breach without ‘undue delay’.

In terms of who enforces the Data Protection Act, it may be the responsibility of the ICO to help, advise and potentially punish, it is also the responsibility of organisations to make sure they are informed, secure and compliant.

Failure to comply with any element of the DPA, including individual rights or data protection principles, can now result in hefty fines, far outweighing those previously possible.

Designed as a two tier system, the ‘higher maximum’ being 4% of annual turnover or 20 million Euros, reserved for the most serious of violations, and then the ‘standard maximum’, for lesser violations which amounts to only 2% of AT or 10 million Euros.

Data Protection Fee

Under the UK’s Data Protection Act, organisations which are responsible for the processing of personal data are in most cases required to pay the data protection fee to the Information Commissioner’s Office.

Covering all forms of processing, from medical data to crime prevention CCTV, the data protection fee accounts for between 85% to 90% of the ICO’s annual budget with the authority collecting around £40 million between 2018 and 2019 from the fee.

There are approximately 600,000 organisations already registered, each of which are publicly named by the ICO. Acting as an indication of adherence and compliance to data protection responsibilities, the fee ranges in cost from around £40 all the way up to £2,900, though is typically on the lower end of that spectrum.

This fee is based on a self-assessment which can be completed here and any organisation which has not already registered, should do so immediately to avoid any monetary penalties.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


How to improve your password security

How Secure is Your Password Process?

How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.

Data Protection Act Updates to Coverage

Who Does the Data Protection Act Apply To?

Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security

Social Engineering Methods

Why Social Engineering Works

What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security

Data Protection by the Numbers

What Year Was the Data Protection Act Introduced?

What Year Was the Data Protection Act Introduced? - 2018, however it has seen some changes as enforcements have increased.

Data Protection Principles

How Does the Data Protection Act Protect your Rights?

How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.

Ransomware Explained

How a Ransomware Attack Works

Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.

Hut Six Staff Snippets: Handling Sensitive Information

Hut Six Staff Snippets: Handling Sensitive Information - Hut Six

Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.

Recognising Phishing Attacks

4 Ways of Recognising Phishing Attacks in 2020

Ways of recognising phishing attacks to ensure your organisation stays secure. Blog by information security awareness training provider Hut Six Security.

Data Protection Act's Eight Principles

What are the Eight Principles of the Data Protection Act?

What are the Eight Principles of the Data Protection Act? Why has this changed to seven in the DPA 2018? Blog by Hut Six Security.

Hut Six Staff Snippets: Encouraging a Secure Culture

Hut Six Staff Snippets: Encouraging a Secure Culture - Hut Six

Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.