Frequently Asked Questions

At CLF, we spend time understanding the UK Data Protection Regulations and Data Privacy Laws so you don’t have to.
Here’s a selection of the questions we’re asked most frequently:

What are the UK’s Data Privacy Laws?

UK Data Privacy Laws include:

• Data Protection Act 1998
• EU General Data Protection Regulation 2016
• Privacy and Electronic Communications Regulations
• The Freedom of Information Act 2000
• The Environmental Information Regulations 2004
• INSPIRE Regulations 2009.

The legislation is applicable to all businesses that process personal data. The size of the business does not determine the liability, the use and volume of personal data processed does. Contact us to find out more.

What is meant by ‘personal data’?

‘It is any information relating to an identified or identifiable natural person (data subject)’

Personal data starts from as little as a name and address. Your organisation may collect personal data that you do not realise is personal e.g. IP addresses on websites.

There are also 2 types of personal data. Special categories (otherwise known as sensitive personal data) require stricter processing controls.

Having a regulatory or justifiable business reason for processing the personal data is great, and needed however this is not your only obligation.

Why does my organisation need to comply with Data Protection regulations?

It is a statutory obligation for any organisation who processes personal data and can attract fines of 4% of international turnover or €20million under the new EU General Data Protection Regulation.

Statutory data protection laws have been in place in the UK since 1988. However, some businesses remain unaware or confused as to their roles and responsibilities in fulfilling the legislative requirements. This added to the advancement of technology, increasing demands of our clients and staff, the increased use of third party service providers and the proposed changes in legislation to a new European Data Protection Regulation, it is no wonder it remains on the ‘things to do list’.

There are weekly reports of breaches of personal data and the mind-set that it could never happen to you could be very costly to your business. Not only are you potentially liable for statutory fines but also a loss in client and employee confidence. For some businesses the total cost of responding to a breach can make or break them.

What are the operational and financial penalties issued for a breach?

What is important to note is that not only can organisations be prosecuted/fined, individuals can be also! (See Examples of Prosecution)

Under the new EU General Data Protection Regulation increased penalties to €20milion or 4% of turnover apply.

The costs of non-compliance can be large and currently include:

• Failure to notify = £5000 fine per entity
• Regulatory fines up to £500,000 per breach
• Custodial sentences of up to 2 years
• Loss of client and employee confidence = immeasurable
• Financial investment to correct = unpredictable
• Negative Press attention

Of course when rectifying the breach, the total cost may also include system implementation, recruitment and training cost, to mention just a few.

Are there Examples of Prosecution for breaches of data privacy?

Not all breaches will be nationally publicised and they affect all business types in both the private and public sector.

More information on enforcement can be viewed on the Information Commissioners Office (ICO) website: under ‘Action we’ve taken’.

The most infamous examples include:

Nationwide Building Society (2006)
Fined £980,000 by the Financial Services Authority (FSA), the largest sum to date imposed for data loss in the UK, relating to an unencrypted laptop stolen from a company employee that put at risk 11million savers.

HM Revenue & Customs (2007)
2 CDs containing records of 25 million child benefit claims in the UK went missing in the post. There was no indication that these were password protected or encrypted. This incident highlighted how valuable data was being handled by poorly trained junior employees.

T-Mobile (2009)
Sales staff were caught selling customer records to brokers. The number of records could not be defined but it was believed ran from half a million to millions. In 2011, the two employees involved were fined £73,000 by the courts.

Brighton and Sussex University Hospitals NHS Trust (2010)
Fined £325,000 after sensitive patient data of thousands of people was discovered on hard drives sold on ebay.

Mumsnet (2014)
Following a software flaw, hackers were able to access, and compromise, the personal data of 1.5 million user accounts. This highlights the vulnerability of some systems and the importance of adequate information management systems.

Think W3 Limited (2014)
A serious attack where a hacker was able to access 1,163,996 credit and debit card records from the online holiday firm identifying a ‘staggering lapse’ and fined £150,000.

Moonpig (2015)
A researcher was given access to the firms android app allowing access to the details of any moonpig customer.

We have tight IT security, do I need to do anything else?
Having good IT security controls is great, but it is important to understand that this is a tool by which you can evidence elements of compliance, other controls need to be in place.
What is the Information Commissioners Office?
The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.