Knowledge Hub
for Growth

Protecting Customer Data: Why It Matters in the UK

This article will explain some of the key issues regarding protecting customer data, for organisations based in the UK.

We’ll cover the key risks around personal data breaches and how to prevent them by adopting good data protection law practices.

Why is protecting customer data important for businesses in the UK?

Protecting customer data is vital for several reasons. Fundamentally, taking proper care of customer data helps to develop a sense of trust from customers. It can help companies develop a great reputation and save time and money, for example an organisation with good customer data handling practices could avoid customer complaints and regulatory fines for misusing customer data.

You may have heard various news stories globally about data breaches and there is increasingly growing suspicion and scrutiny around how organisations are handling customer data – some very large companies such as the tech giants are facing a huge amount of customer mistrust around how data is handled.

Personal data law is a key concern around protecting customer data and is the focus of this article. The EU General Data Protection Regulation (EU GDPR) law governing data protection came into force on 25 May 2018. Following the UK's withdrawal from the EU, this law has been effectively adopted into UK law and known as the UK GDPR. In the UK, the UK Data Protection Act 2018 (DPA 2018) has implemented and supplemented the UK GDPR.

These laws have brought considerable changes to the data protection regime, including fines for data protection law breaches of up to £17,500,000 or 4% of total worldwide annual group turnover (whichever is greater).

You can find further information in our article on UK GDPR compliance.

What is customer data?

Customer data can include several different types of data, such as company data, financial data and personal data. This could include physical data such as invoices, customer letters, documents and contracts, emails, audio and video recordings and CCTV recordings.

Businesses are often required to source a large amount of data from their customers to provide products or services – for example, client onboarding information, personal data of customer employees and sometimes various sensitive documents, records and confidential business information. Sometimes, customer data is sourced by third parties, for example where third-party suppliers collect customer data on behalf of a business.   

‘Personal data’ is defined broadly under the UK GDPR and comprises data relating to any living individual who can be identified from that data (either directly or indirectly) and includes a variety of customer data such as: names, email addresses, addresses, national identification numbers, phone numbers, location data and online identifiers, cookies, photographs, signatures and heath information. Additional and more stringent rules govern the use of ‘Special Category Personal Data’ which is viewed as highly sensitive and means personal data concerning: race or ethnic origin, political opinions, religious or other philosophical beliefs, trade union membership, physical or health information, sex life or sexual orientation and genetic or biometric data.

All such personal data must be properly handled and processed in accordance with the UK GDPR rules. In addition, businesses must also carefully safeguard other types of non-personal customer data (for example, through implementing stringent data security measures).

Risks of data breaches

Data breaches are a significant risk for organisations and should be taken extremely seriously.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, transmitted, stored or otherwise processed.

A personal data breach can happen for various reasons and cover scenarios such as:

  • Theft of equipment on which data is stored e.g. a laptop.
  • Accidentally leaving a device on a train.
  • Hacking and phishing attacks.
  • Human error such as sending emails containing customer data to the wrong recipient.

The consequences of data breaches are potentially extremely severe – for example, this could lead to financial losses for a business, various legal consequences and reputational damage to name a few.

As an example of just how serious data breaches can be and what impact they can have, the Marriot International received a huge fine of £14.8 million from the ICO in 2020, due to a huge customer data breach which compromised the data of millions of customers. This is a significant warning around what can happen where businesses fail to put appropriate measures in place to protect customer data.

See our article for further detailed information around this topic and how to deal with data breaches.

Preventing data breaches

There are various measures which organisations can take to prevent data breaches from happening.

Regardless of the size of an organisation, a risk assessment should always be carried out to determine where the risks of data breaches lie and what can be done to prevent them.

Staff can be one of key causes of data breaches, as mistakes often happen due to human error and therefore staff training on cyber security issues and data protection are vital. For example, staff should be trained on data protection laws and how to prevent data breaches, but also on practical day-to-day issues such as how to spot suspicious emails, keeping strong passwords and being careful when sending out emails containing customer data.

Organisations must have in place appropriate data security measures to protect personal data. The types of security measures should be carefully considered and appropriate to the likely risks to individuals if their data is lost, stolen or disclosed to unauthorised individuals.  

Organisations must also have systems in place to deal with personal data breaches.
Data breaches must be fully investigated and documented, and an internal data breach plan is key, to ensure that data breaches are dealt with correctly.

Organisations should record all steps they have taken to try to prevent data breaches, and this may be helpful in the event of a regulatory investigation.

Consequences of failing to protect customer data

Failing to protect customer data could have a number of negative consequences for businesses.

Some of the most serious consequences include the following:

  • Regulatory action and legal consequences, including heavy fines as mentioned above.
  • Negative publicity such as very bad press if there is a personal data breach.
  • Loss of business and goodwill as customer mistrust can be incredibly harmful.

For further information, please see our article on what can happen if you fail to protect customer data.

Creating a culture of data protection

Creating a culture of data protection and encouraging staff to take part in that culture is of huge importance for organisations. It’s crucial to make sure that staff fully understand why protecting customer data is vital for a business.

A comprehensive staff training programme can help achieve this, but staff need to understand this is not just a ‘tick box’ exercise but should be a core business value for everyone.

There are several steps which organisations can take to create a ‘culture’ of data protection, for example by:

  • Teaching staff about the legal requirements to safeguard customer data and becoming responsible stewards of personal data.
  • Training staff to handle, store and dispose of customer data securely and in a responsible way.
  • Allocating proper resources and responsibilities around data protection and providing staff with clear points of contact to resolve customer data issues.
  • Regularly reminding staff about the importance of protecting customer data and monitoring compliance with an organisation’s own policies and procedures around protecting customer data.


By way of summary, this article has explained why protecting customer data is extremely important.

The heart of data protection law is around ensuring that customers can trust how their data will be used and that it is handled fairly. Since the UK GDPR came into force, businesses have been required to understand that customer data belongs to customers and that safeguarding it properly is mandatory. Cybercrime has been hugely on the rise and unfortunately there have been numerous occasions where businesses have experience data breaches, leaking customer data, without expecting it. By changing mindset and embracing the UK GDPR rules, businesses can work to mitigate the risks we’ve outlined and ultimately develop strong and healthy relationships with their customers.

This article focuses on some of the key data protection issues to consider, but a range of other responsibilities apply when using customer data. Please contact our team for advice on the rules which apply to your business.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry