Contact one of our advisors now Call 0800 088 6004

Data Protection – How Companies should handle Personal Data and key steps to avoid Pitfalls and Fines.

Reasons to choose Wilson Browne

In 2018 Data Protection in the UK changed and how companies are regulated in relation to handling personal information became stricter.

The implementation of the General Data Protection Regulation (GDPR) gave individuals stronger legal rights to know how their personal data is being used, and resulted in companies being duty bound to process data responsibly and fairly or risk being fined for misuse.

This article looks at how the Information Commissioners Office (ICO) recommends companies should handle personal data, explains what fines can be issued and looks at key steps that can be taken to ensure companies avoid common pitfalls or errors.

How should handle personal data be handled

If a business stores or uses personal information it is legally obliged to ensure that it does so in a secure and accurate manner. Companies must be transparent when collecting personal data and must ensure that they notify an individual if they plan to use or store their information.

Equally, an individual has the right to request their data is deleted, not used for certain purposes or can request to see what information a company holds about them (otherwise known as a SARS request – Subject Access Request).

Failing to comply with any of these requests or any misuse of personal data could result in the ICO issuing a fine, often referred to as a Monetary Penalty Notice (MPN).

Does my company need a Data Protection Officer (DPO)?

If you are a public authority, your core activities require large scale monitoring of individuals or your core activities consist of processing large amounts of data, then under UK GDPR rulings you are required to appoint a Data Protection Officer (DPO) for your company.

A DPO is appointed to monitor internal compliance and ensure that the company is regulated and carrying out personal data usage in a correct manner. A DPO must be an expert in data protection and can be internally or externally appointed.

A DPO essentially takes responsibility for how the company processes data by advising and helping to monitor compliance along with being the ICO’s main point of contact. Companies can appoint a DPO even if not required to.

However by voluntarily appointing a DPO, it is important to know that the role must be carried out in the same manner as if the appointment had been mandatory.

What is a Monetary Penalty Notice (MPN)?

An MPN is a monetary fine that is served by the Information Commissioners Office (ICO) on a case by case basis when a serious breach of data occurs. The monetary value of this notice is determined by the ICO and is set at two tiers; the higher maximum and the standard maximum.

The higher maximum amount applies to any failure to comply with any of the data protection principles and is set at a maximum fine of £17.5 million, or 4% of annual global turnover (whichever is greater).

The standard maximum applies to infringement of all other provision of the legislation (such as administration requirements) and is set at a maximum of £8.7 million, or 2% of the total global turnover.

In some circumstances, the ICO has specific powers not only to fine but also to raise prosecution proceedings (potential prison sentences) for any data protection breaches which constitute an offence.

What steps can my business take to avoid the imposition of an MPN?

  • Ensure that the business can provide evidence that it has recognised the risks of handling personal data and has taken action to address the issue (for example, the business has conducted a risk assessment).
  • Put in place appropriate policies, practices and procedures to avoid potential data protection breaches within the business (for example, by establishing a robust compliance regime).
  • Pay particular attention to data protection issues where the personal data of large numbers of individuals or sensitive data is concerned.
  • Implement any codes of practice published by the Commissioner or other regulatory bodies that may be relevant to potential data protection breaches within the business.
  • Do not allow any known issues to remain unresolved (for example, rectify any problems with the business’ IT systems as soon as possible).

For further information and guidance, please contact the Corporate and Commercial team

Rebecca Flint-Hill


Rebecca Flint-Hill


Rebecca is a Paralegal for our Commercial Litigation team based within our Kettering office. Rebecca assists our senior fee earners with a wide range of adverse possession matters. Rebecca is currently studying for her Graduate Diploma in Law and is in her second year of…