Data Protection Act: offences and penalties

Nick Titchener headshot

Nick Titchener

Managing Partner

What is the Data Protection Act 2018?

Implemented under the EU-wide General Data Protection Regulation (GDPR), the Data Protection Act 2018 exists to control how personal data is used by organisations, businesses and government. According to both the regulation and the act, personal data is defined as any information which directly identifies or could be used to identify a living individual.

Personal data includes, but is not limited to:

  1. Names
  2. Identification numbers such as national insurance or passport numbers
  3. Location data such as postal addresses or mobile GPS data
  4. Online identifiers such as IP or email addresses
  5. Information about the health or genetic conditions of an individual
  6. Biometric data such as fingerprints
  7. Ethnicity
  8. Political or religious views
  9. Sexual orientation

The act gives consumers and employees the right to know how their personal data is being used, access their data, have their data updated or erased and stop or restrict the use of their data.

What are your responsibilities under the Data Protection Act 2018?

If you run any kind of organisation in the UK, you must follow the data protection principles by ensuring that any personal data relating to your customers or employees is:

  1. Handled in a fair, lawful and transparent way
  2. Used for specific purposes which are made explicit
  3. Limited in its use, according to what is relevant or necessary
  4. Kept accurate and up to date
  5. Not kept for longer than is necessary
  6. Handled in a way that ensures adequate security

What offences can be committed in relation to personal data?

There are a number of ways in which the laws around data protection can be broken, which should make the proper handling of data a key priority for you and your organisation. In an age of ever-increasing public scrutiny, being convicted of any of these offences can cause irreversible reputational damage.

Whilst the purpose of the GDPR is to give individuals greater control of their personal data, if you run a company which obtains and processes data then you are defined as the controller under the GDPR. This is distinct from the processor who may undertake the handling of data on your behalf – however, both are equally responsible for ensuring the law is upheld. The presence of a processor does not relieve you of legal obligations as a controller. 

The emphasis upon the controller in the below definitions does not diminish the rights to information, access and erasure of their personal data that the individual concerned has. Instead, it places the onus upon you as the controller to both implement and maintain the data protection principles outlined above.

1. Unlawful obtaining or disclosing of personal data

The manner in which personal data is obtained is one of the most crucial areas to which the act applies. It is unlawful for an individual’s personal data to be obtained, disclosed or retained without the express consent of the controller.

It is also an offence to sell, or offer to sell, personal data if it has been obtained unlawfully. Selling personal data is defined as disclosing, making available, disseminating or transferring it.

2. Re-identification of de-identified personal data

De-identified personal data has been processed so that it can no longer be attributed, without additional information, to a specific individual. The re-identification of personal data means taking steps to reverse this process.

It is unlawful to knowingly or recklessly re-identify personal data without the consent of the controller responsible for de-identifying it. It is also an offence to process personal data that has been re-identified in this manner.

3. Alteration of personal data to prevent disclosure to data subject

This offence relates to the rights of individuals to request information about, or access to, the personal data organisations hold about them. In the event of such a request, it is unlawful to alter, deface, block, erase, destroy or conceal information with the intent of preventing such a disclosure.

What are the penalties for breaking data protection laws?

Breaches of the Data Protection Act 2018 can be defined either as failure to uphold the data protection principles or as one of the specific offences above. As the act is a direct implementation of the GDPR, the penalties for any breach of the law by individuals or organisations are much the same as those in place across the EU. As such, they are restricted to financial penalties only. 

For individuals, the court can impose unlimited fines which are generally considered in accordance with the defendant’s circumstances. While most cases under the act are resolved in the magistrates’ court, both the Crown Court and the magistrates’ court now have the same ability to impose fines.

Depending upon the nature of the breach, there are two tiers of fines imposed upon organisations:

  1. Up to €10 million or 2% of annual global turnover, whichever is greater
  2. Up to €20 million or 4% of annual global turnover, whichever is greater

If you think that you have breached a data protection law or you have been accused of breaching one, you need to contact Lawtons immediately. Our team of legal professionals are highly experienced  and will provide you with individual guidance.

Related Articles