Knowledge Hub
for Growth

What happens if you get Data Protection wrong?

Data is the lifeblood of the economy in today’s business world, consequently it’s increasingly becoming a critical element of any organisation’s growth strategy to ensure that their approach to data protection compliance doesn’t hinder their progress. 

It’s not just the issue of appearing careless with customer or staff personal data that organisations should be concerned with, they can also suffer serious financial consequences either as a result of the Information Commissioner’s Office (ICO) taking enforcement action or because an aggrieved individual has brought a court claim for compensation (discussed in more detail below). For these reasons, it’s important that organisations understand the full implications of what can happen if you get data protection wrong.

1. ICO enforcement action

The ICO has a wide range of regulatory actions at its disposal for infringement of data protection legislation, including;

  • Information notices; this is a formal request from the ICO to provide information within a specified timeframe. If a company fails to comply with an information notice in a timely manner, the ICO may apply for a court order requiring a response or may issue a penalty notice. 
  • Enforcement notices; the purpose of an enforcement notice is to require the recipient to take certain action to bring about compliance with information rights or remedy a breach or both within a specific timescale, and this could include requiring an organisation to stop using personal data for a specific purpose.  If an organisation fails to comply with an enforcement notice, the ICO may consider taking further action including but not limited to issuing a monetary penalty notice.
  • Monetary penalty notices; the ICO has the power to issue a monetary penalty for infringement of data protection legislation.  There are two tiers of an infringement, the ‘higher maximum’ and the ‘standard maximum’. 

The higher maximum

Organisations may be fined up to £17.5 million under the UK GDPR, or €20 million under the EU GDPR, or 4% of annual global turnover for failure to comply with any of the data protection principles, or the individual’s rights, or in relation to transfers of data to third countries. 

The standard maximum

Organisations may be fined up to £8.7 million under the UK GDPR, or €10 million under the EU GDPR, or 2% of annual global turnover for infringement of other provisions such as administrative requirements of the legislation. 

  • Inspection Powers; the ICO is able to conduct an inspection or authorise another organisation to conduct it for them, in most cases the outcome will be an audit report setting out recommendations which could lead to formal enforcement action. 
  • Reprimands: this is a written letter stating that the ICO believes an organisation has failed to meet its data protection obligations. It is usually accompanied by a list of reasons for the decision and recommended steps that an organisation should take. The ICO announced in December 2022 that would begin to routinely publish reprimands, unless there was a good reason to refrain from doing so. 

2. Reputational damage

Hefty fines for non-compliance with the data protection legislation tend to grab the headlines, however, organisations should also be aware of the reputational damage that can arise and the potential knock-on effects. ICO enforcement action is usually published and is therefore in the public domain, it’s often not long before the news of action taken will spread and this can affect customer confidence, and ultimately profits. Whilst a monetary penalty is potentially manageable, the negative effects of bad publicity could mean that consumers no longer trust an organisation which can be fatal to business in the long term.

3. Claims from private individuals

The ICO is not able make compensation awards in favour of individuals, however, UK GDPR gives data subjects a right to claim compensation in court under Article 82, where they have suffered material or non-material damage as a result of an infringement. Quite often data subjects will run a complaint with the ICO at the same time as a compensation claim through the courts, as a determination by the ICO that UK GDPR has been infringed could be persuasive in the eyes of the judge. 

In the event that an individual is successful in their claim, then organisations could be liable for damages and costs, and also suffer reputational damage as court proceedings are usually open to the public. 

4. A drain on resources

Whether an allegation of an infringement has merit or not, an organisation could spend unnecessary amounts of time evaluating and responding to issues, which ultimately distracts from your ability to carry out your core business activity which can affect your bottom line. For example, significant amounts of manpower can be exhausted when dealing with data subject access requests, or evaluating personal data breaches, some of this time can be minimised by putting having the correct compliance documentation in place at the outset, as well as a robust data protection governance structure of roles and responsibilities. 

How can we help?

Harper James can assist you with assessing your organisation’s compliance with data protection legislation and helping you pinpoint areas of weakness that could lead to potential enforcement action and/or slow you down in your ability to respond.

Don’t wait until you’re already on the back foot!  Get in touch with one of our data protection specialists today to identify what steps should be taken to stay compliant with data protection laws.

Let us do the hard work and make sure you are compliant.- Read more about our health check audits here.

About our expert

Becky White

Becky White

Senior Data Protection & Privacy Solicitor
Becky is an experienced data protection and privacy lawyer who qualified in 2002. She supports clients with navigating data protection compliance and provides practical commercial advice related to privacy laws.  

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry