5. Data Protection Principles, Penalties & Privacy Impact Assessment

Data protection legislation contains a number of principles. Data controllers and data processors must adhere to these principles.

5.1 Principles

All personal data must be:

  1. Processed lawfully, fairly, and in a transparent manner in relation to the data subject (the lawfulness, fairness and transparency principle).
  2. Collected for specified, explicit and lawful purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (the purpose limitation principle).
  3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (the data minimisation principle).
  4. Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay (the accuracy principle).
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (the storage limitation principle).
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (the integrity and confidentiality principle).

The data controller shall also be responsible for, and must be able to demonstrate compliance with, the preceding six principles (the accountability principle). This is best achieved through the implementation of written policies and procedures, such as this guidance document.

5.2 Penalties

In the case of a breach of these principles the ICO can issue an enforcement notice and/or significant fines.

Enforcement notices are public information and ‘brand damage’ due to media attention could be catastrophic. Maximum penalties for data protection infringements are the equivalent of £17.5 Million or 4% of global turnover – whichever is greater – for infringements. 

Probably the most common cause of fines is failure of an organisation to register as data controller with the ICO. In this case fines range from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350. All fines recovered do not go to the ICO, they go to the Treasury’s Consolidated Fund.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action”.

“You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”