Principles, Protections and Penalties

Who Enforces the Data Protection Act? If you are operating a business within the UK, chances are the Data Protection Act directly affects many of your responsibilities and practices regarding the personal data you process. After several years in development the General Data Protection Regulation (GDPR) was introduced across Europe in 2016 and became enforceable in May of 2018.

Incorporated into UK law in the form of the Data Protection Act (DPA) 2018, the regulation not only placed new responsibilities upon organisations that handle personal data, but also sought to strengthen the rights of citizens in relations to their data and address several decades of technological advancement.

Data Protect Act 2018

Replacing the Data Protection Act of 1998, the DPA 2018 built upon and forwarded many of the existing principles. Governing how organisations work with personal data, both the GDPR and the DPA centre around seven key principles.

The Seven Principles

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Who Enforces the Data Protection Act?

Though the GDPR is a European-wide piece of regulation, the application of the law is at the national level with each country establishing their own enforcement authority. In the UK the authority responsible for enforcement is the long-standing Information Commissioner, of the Information Commissioner’s Office (ICO).

As the independent official, the ICO’s mission includes upholding information rights, promoting openness by public bodies, as well as forwarding the data privacy of individuals. In this capacity, the Information Commissioner also has the power to levy large fines upon offending and non-compliant organisations.

Under the DPA, the ICO has the power to hand out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year, whichever is greater. This comes as a sharp departure from the previous maximum (under the DPA 1998) of the relatively meagre £500,000.

History of the ICO

The Information Commissioner’s Office was originally founded in 1984 and since then, its role has grown considerably. With the introduction of the GDPR and the surrounding ‘excitement’, the independent authority has also expanded in prominence.

“[2018] has seen the biggest upgrade in UK data protection laws for a generation”

Information Commissioner’s Office

Having developed from a relatively small organisation, headed by a Data Protection Registrar, the organisation now handles tens of thousands of data protection complaints, thousands of freedom of information complaints and hundreds of thousands of calls to their helplines every year.

Since the mid-eighties, a great deal has changed in terms of the way organisations collect, handling and utilise personal data. The introduction of now ubiquitous personal electronics, not to mention a few high-profile cases of data mishandling, has seen the public’s expectations regarding data rights very much enter the zeitgeist.

Since 2016 the ICO has been led by Elizabeth Denham CBE who has overseen a plethora of important cases and investigations into the mishandling of personal data.

Enforcing with Fines

Including within the new seven principles of data protection is the ‘accountability’ principle. This guiding element of modern data protection law places the responsibility to protect personal data squarely upon organisations.

Not only do organisations have a responsibility and obligation to take the necessary precautions to protect data, they are also required to document and make their compliance demonstrable to authorities.

As well as this, organisations are also required to report any data breach to the ICO within 72 hours of becoming aware of the incident. Should any breached data likely result in a ‘high risk of adversely affecting individuals’ rights and freedoms’ then these parties must also be informed of the breach without ‘undue delay’.

In terms of who enforces the Data Protection Act, it may be the responsibility of the ICO to help, advise and potentially punish, it is also the responsibility of organisations to make sure they are informed, secure and compliant.

Failure to comply with any element of the DPA, including individual rights or data protection principles, can now result in hefty fines, far outweighing those previously possible.

Designed as a two tier system, the ‘higher maximum’ being 4% of annual turnover or 20 million Euros, reserved for the most serious of violations, and then the ‘standard maximum’, for lesser violations which amounts to only 2% of AT or 10 million Euros.

Data Protection Fee

Under the UK’s Data Protection Act, organisations which are responsible for the processing of personal data are in most cases required to pay the data protection fee to the Information Commissioner’s Office.

Covering all forms of processing, from medical data to crime prevention CCTV, the data protection fee accounts for between 85% to 90% of the ICO’s annual budget with the authority collecting around £40 million between 2018 and 2019 from the fee.

There are approximately 600,000 organisations already registered, each of which are publicly named by the ICO. Acting as an indication of adherence and compliance to data protection responsibilities, the fee ranges in cost from around £40 all the way up to £2,900, though is typically on the lower end of that spectrum.

This fee is based on a self-assessment which can be completed here and any organisation which has not already registered, should do so immediately to avoid any monetary penalties.