Who enforces data protection legislation in the UK?

Who enforces the Data Protection Act? Who enforces UK GDPR? And who can you ask about data protection legislation? 


Who enforces the UK’s Data Protection Act? 

The Information Commissioner’s Office (ICO) is an executive public body used to enforce and regulate the UK’s Data Protection Act (DPA). The ICO uphold information rights, promote openness by public bodies, and forward the data privacy of individuals. They also provide advisory guidelines for organisation, to aid the transition needed to comply with the DPA 2018 (which includes GDPR).  

The General Data Protection Regulation (GDPR) was introduced across Europe in 2016 and became enforceable in May of 2018, before being incorporated into UK law in the form of the DPA 2018.  

Specifically referencing GDPR – which is a European-wide piece of regulation – the application of the law is at the national level, with each country establishing their own enforcement authority. In the UK, the authority responsible for enforcement is the ICO.  

The ICO is responsible for determining and administering the repercussions an organisation will face if they breach the DPA. The penalties that an organisation will face are not mutually exclusive. The ICO will administer the appropriate penalties when necessary, therefore it is essential to remain up- to-date with ICO guidelines. 

Under the DPA 2018, the ICO has the power to hand out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year (whichever is greater). This comes as a sharp departure from the previous maximum (under the DPA 1998) of the relatively meagre £500,000. 


What exactly is the DPA 2018? 

If you are operating a business within the UK, chances are the DPA directly affects many of your responsibilities and practices regarding the personal data you process.  

The DPA 2018 not only placed new responsibilities upon organisations that handle personal data, but also sought to strengthen the rights of citizens in relations to their data, and address several decades of technological advancement. 

Data Protection Act 1998 Vs 2018  

Replacing the DPA of 1998, the DPA 2018 built upon and forwarded many of the existing principles governing how organisations work with personal data. Both the GDPR and the DPA centre around seven key principles. 

The Seven Principles 

Lawfulness, fairness and transparency 

Purpose limitation 

Data minimisation 


Storage limitation 

Integrity and confidentiality 



How does the ICO enforce the DPA? 

Included within the new seven principles of data protection [ADD LINK] – as set out in the DPA 2018 – is the ‘accountability’ principle. This guiding element of modern data protection law places the responsibility to protect personal data squarely upon organisations. 

Not only do organisations have a responsibility and obligation to take the necessary precautions to protect data, they are also required to document and make their compliance demonstrable to authorities. 

Any organisation that processes personal or sensitive data is required to register with the ICO. The ICO then has the relevant information of all data controllers in the UK, including their names, addresses and the type of processing carried out by the organisation. These organisations then have access to the ICO’s guidelines and advice needed to ensure the DPA has been implemented correctly. 

As well as this, organisations are also required to report any data breach to the ICO within 72 hours of becoming aware of the incident. Should any breached data likely result in a ‘high risk of adversely affecting individuals’ rights and freedoms’ then these parties must also be informed of the breach without ‘undue delay’. 

In terms of who enforces the DPA, it may be the responsibility of the ICO to help, advise and potentially punish as necessary, but it is also the responsibility of organisations to make sure they are informed, secure and compliant. 

Failure to comply with any element of the DPA, including individual rights or data protection principles, can now result in hefty fines, far outweighing those previously possible. 

Designed as a two-tier system, the ‘higher maximum’ fine, reserved for the most serious of violations, is 4% of annual turnover or 20 million Euros. The ‘standard maximum’ fine, for lesser violations, amounts to only 2% of AT or 10 million Euros. 


Data Protection Penalties & Data Protection Fee 

As mentioned earlier; under the UK’s DPA 2018, organisations which are responsible for the processing of personal data are in most cases required to pay the data protection fee to the ICO. 

Covering all forms of processing, from medical data to crime prevention CCTV, the data protection fee accounts for between 85% to 90% of the ICO’s annual budget, with the authority collecting around £40 million between 2018 and 2019 from the fee. 

There are approximately 600,000 organisations already registered, each of which are publicly named by the ICO. Acting as an indication of adherence and compliance to data protection responsibilities, the fee ranges in cost from around £40 all the way up to £2,900, though is typically on the lower end of that spectrum. 

This fee is based on a self-assessment which can be completed here and any organisation which has not already registered, should do so immediately to avoid any monetary penalties. 


ICO penalties for breaching the DPA: 

The ICO will conduct audits to examine an organisation’s compliance with the DPA. If the organisation is found guilty of breaching the DPA, then the ICO is liable to enact the discretionary fines at their disposal. 

The ICO imposes administrative fines upon organisations in relation to their specific case. The highest tier of fine which an organisation could face for breaching the DPA is either 4% of their annual global turnover, or 20 million euros, whichever is the highest. The ICO is accountable for issuing these penalties, therefore the ICO must ensure that if they do issue an administrative fine, it must be effective, proportionate and dissuasive. 

Knowledge and training to uphold organisational data compliance to the DPA is fundamental to an organisation’s success, and essential to avoiding harsh repercussions from the ICO. 


What next? 

At Cybata, we work with companies on a daily basis on their compliance with the DPA 2018 and GDPR. 

Our services range from a Data Protection GAP Analysis, to the creation of a Record of Processing Activity (ROPA), Data Protection Training and helping with a Data Breach Response. 

Our job is to help you become compliant.