Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business handles personal data (and most do), UK data protection law applies to you. But what actually happens if you get it wrong?
Don’t stress – the law isn’t designed to trip you up. However, breaches can lead to real consequences, from formal warnings and fines to reputational damage and expensive claims. The good news is that with the right systems and contracts in place, you can greatly reduce your risk and respond quickly if something does go wrong.
In this guide, we’ll walk through what counts as “breaking” data protection law, the consequences you could face, common small business pitfalls, and the practical steps to take after a breach. We’ll also cover how to build simple, robust compliance so you’re protected from day one.
What Counts As Breaking UK Data Protection Law?
When people talk about “breaking the Data Protection Act,” they’re usually referring to breaches of UK GDPR (the UK’s version of the GDPR) and the Data Protection Act 2018. Together, these set the rules for how you collect, use, share, and secure personal data about customers, staff, suppliers, and anyone else you deal with.
You may also need to comply with the Privacy and Electronic Communications Regulations (PECR), which cover direct marketing (email/SMS/phone) and the use of cookies and similar technologies.
In plain English, you’re at risk of a breach if you:
- Collect or use personal data without a lawful basis (for example, sending marketing without consent where consent is required)
- Fail to provide clear privacy information to individuals (e.g. no or inadequate Privacy Policy)
- Hold more data than you need, or keep it for longer than necessary
- Ignore someone’s data rights (like failing to respond to a subject access request in time)
- Share data with third parties without appropriate safeguards or contracts
- Transfer data overseas without proper protections
- Fail to take appropriate technical and organisational security measures (e.g. weak access controls, no encryption, poor staff training)
- Set cookies or similar technologies without proper consent where required
Not every mistake is a reportable breach, and not every breach leads to a fine. Regulators care about your risk management, accountability and how you respond – so documentation and a credible remediation plan matter.
What Are The Consequences For Your Business?
Consequences vary with the seriousness of the breach, how many people are affected, what kinds of data are involved, and how you handle the incident. Typical outcomes include:
Regulatory Action (ICO)
The Information Commissioner’s Office (ICO) can take a range of actions, including:
- Information and assessment notices requiring you to provide details or allow audits
- Enforcement notices requiring you to stop certain processing or improve controls
- Monetary penalties for serious infringements (up to £17.5 million or 4% of worldwide annual turnover, whichever is higher, for the most serious breaches; or up to £8.7 million or 2% for other infringements)
PECR breaches (e.g. unlawful marketing messages or cookie failures) can also attract significant penalties. Even if you avoid a fine, the costs of remediation and the disruption to your operations can be substantial.
Civil Claims And Complaints
Individuals can bring claims for financial loss and distress caused by a breach. If you process data for another business, your contracts may include indemnities or service credits if you mishandle data. You could also face complaints to the ICO that trigger investigations and reputational scrutiny.
Criminal Offences
Certain behaviours are criminal, such as unlawfully obtaining personal data or knowingly or recklessly re-identifying anonymised data. Tampering with data to obstruct a subject access request can also carry criminal liability. Directors and managers can be personally liable where offences are committed with their consent, connivance, or due to neglect.
Operational And Reputational Damage
Beyond regulator action, a breach can lead to downtime, lost customers, higher insurance premiums, and costs linked to forensics, remediation, and notifications. Trust is hard-won and easily lost – especially for small businesses.
Failure To Pay The ICO Fee
Most organisations must pay an annual fee to the ICO (unless exempt). Failing to pay can lead to penalties and enforcement. It’s an easy compliance win: make sure your ICO fee status is up to date.
Common Small Business Pitfalls (And How To Avoid Them)
Here are scenarios we see again and again, along with simple ways to reduce your risk.
1) Missing Or Inadequate Privacy Information
If you collect names, emails, addresses, purchase histories or similar, you need to tell people what you’re doing with their data, why, and for how long. The easiest way to do this is with a clear, accessible Privacy Policy that reflects your real-world practices (not a generic template).
2) Unlawful Marketing And Cookie Compliance
Sending marketing emails or SMS without consent (in many B2C contexts) or relying on pre-ticked boxes can breach PECR. On your website, you’ll usually need consent before setting non-essential cookies. Use a proper consent mechanism and keep a record of preferences.
Make sure your Cookie Policy matches what your site actually does, and implement cookie banners that allow genuine choice (including a true “reject” option).
3) Mishandling Data Subject Rights
People have rights to access, correct, delete and object to processing of their data. Missing deadlines is a frequent trigger for complaints. Build a simple process and diary your timeframes for subject access request deadlines, plus retention and deletion timelines.
4) Weak Contracts With Suppliers
If a third party processes personal data for you (hosting, email marketing, payroll), you are still responsible for compliance. Always put a proper Data Processing Agreement in place and check what security measures they actually use. If you share data with another controller, consider a Data Sharing Agreement.
5) Employee And Workplace Data
From right-to-work checks to sickness records, employee data is sensitive. Limit access to HR need-to-know staff, secure it appropriately, and be transparent with staff about monitoring or bring-your-own-device rules via an Acceptable Use or IT Policy. Train your team regularly.
6) International Transfers And Cloud Tools
Many small businesses use cloud platforms that store data outside the UK. Before transferring personal data overseas, ensure appropriate safeguards are in place (for example, standard contractual clauses and transfer risk assessments). Don’t just tick a box – verify where the data lives and who can access it.
What To Do After A Data Breach: A Step-By-Step Response
If something goes wrong, quick and structured action helps you protect people and your business. A written plan keeps you calm and consistent.
1) Contain And Secure
Stop the bleeding. Reset credentials, disable compromised accounts, take affected systems offline if needed, and preserve evidence. Brief a small incident team and control communications to avoid confusion.
2) Assess The Risk
Work out what happened, which personal data was affected, how many people are impacted, potential harm (financial fraud, identity theft, embarrassment), and whether vulnerabilities remain.
3) Decide Whether To Notify The ICO
If the breach is likely to result in a risk to people’s rights and freedoms, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware. Document your decision either way.
4) Inform Affected Individuals Where Required
If there’s a high risk to individuals, you must also inform them without undue delay, using clear language and practical advice (e.g., password resets, contacting their bank, or being alert to phishing).
5) Record Everything
You’re required to keep a breach log. Record the facts, effects, and remedial steps taken. This helps with accountability and future improvements.
6) Remediate And Improve
Fix the root cause. That could mean software patches, access control changes, staff training, or supplier contract updates. Update your policies and test your response plan.
If you don’t already have one, put a tailored Data Breach Response Plan in place so you’re not writing it mid-crisis. If the incident is complex or high-risk, consider a short Data Protection Consultation to triage the legal decisions and draft any regulator notifications.
How To Prevent Breaches And Stay Compliant
Perfect security doesn’t exist, but a few practical building blocks go a long way. Focus on proportional, documented controls that fit how your business actually runs.
Map Your Data And Choose A Lawful Basis
List what personal data you collect, why you collect it, where it’s stored, who you share it with, and how long you keep it. Decide your lawful basis for each activity (consent, contract, legitimate interests, legal obligation, etc.) and document your reasoning.
Set Clear, Accurate Privacy Information
Publish a simple, accurate Privacy Policy. Keep it up to date as your operations change (new tools, new data uses, new sharing arrangements). Ensure internal processes match what you say publicly.
Put The Right Contracts In Place
- Use a Data Processing Agreement with all processors (e.g. marketing platforms, outsourced IT, payroll).
- Use a Data Sharing Agreement where you share personal data with another controller (e.g. a joint venture partner).
Strengthen Security Basics
Enable MFA on key systems, use strong passwords and a password manager, encrypt devices, keep software patched, and restrict access on a need-to-know basis. Regularly back up critical data and test restores.
Train Your Team
Human error drives many breaches. Short, regular refreshers on phishing, handling subject access requests, and how to spot and report incidents are extremely cost-effective.
Plan For Rights Requests
Have a checklist and calendar reminders for subject access request deadlines. Be ready to verify identity, locate data across systems, apply exemptions correctly, and respond within one month (with limited extensions where appropriate).
Get Your Cookies And Marketing Right
Audit your website and marketing tools. Align your Cookie Policy with actual tracking technologies and implement compliant cookie banners. Keep your email lists clean and respect opt-outs promptly.
Keep Governance Simple And Documented
Appoint someone to own data protection day-to-day, maintain a breach log, and review your policies annually. Ensure your ICO registration and ICO fee are sorted. If you undertake higher-risk processing, consider a Data Protection Impact Assessment.
FAQs: Quick Answers To Common Questions
Do All Breaches Have To Be Reported To The ICO?
No. You only need to notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms. However, you must record all breaches in your internal log, even those you don’t report.
Will We Automatically Get A Fine If We Breach?
Not necessarily. The ICO looks at severity, scale, sensitivity of data, mitigation steps, and your cooperation. Many cases result in recommendations or enforcement notices instead of monetary penalties, particularly where you’ve shown accountability and taken swift action.
Can Individuals Sue Us For Distress?
Yes. Individuals can claim compensation for financial loss and non-material damage (like distress) caused by breaches. Good record-keeping, robust security and clear communications can help limit exposure.
Are We Liable For Our Suppliers’ Mistakes?
You remain responsible for processors you use. If they mishandle data, you could face regulatory action and claims, and you may need to demonstrate due diligence and contract controls. This is why a strong Data Processing Agreement and ongoing oversight matter.
How Quickly Do We Have To Tell Customers?
If there’s a high risk to people, you must inform them without undue delay. Practically, that means as soon as you can give accurate, helpful information and advice – don’t wait for perfection if risk is ongoing.
Key Takeaways
- Breaking UK data protection law can lead to enforcement notices, complaints, civil claims and, in serious cases, significant fines – but your response and accountability make a big difference.
- The most common pitfalls are avoidable: publish an accurate Privacy Policy, use compliant cookie consent, and respect marketing and data subject rights.
- Lock down third-party risk: sign a Data Processing Agreement with processors and use a Data Sharing Agreement where you share personal data with other controllers.
- Be breach-ready: a written Data Breach Response Plan, clear roles, and a tested communications approach help you act within 72 hours if needed.
- Build simple governance: map your data, train staff, secure systems, diarise subject access request deadlines, and keep your ICO fee current.
- If you’re unsure how the rules apply to your specific setup, tailored advice will save you time and reduce risk – especially if you use multiple cloud tools, handle sensitive data, or work with overseas providers.
If you’d like help tightening your compliance or need urgent support after an incident, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
