Written by
Walter McCahon, Manager, Data Policy,
UK Finance


In recent months there have been a lot of data breaches making news. Alongside these the Information Commissioner’s Office (ICO) has issued new fines for breaches of data protection law, including some for the maximum permitted amount under the old Data Protection Act 1998 rules – £500,000.

Of course, having a data breach (where personal data is lost or compromised) does not necessarily indicate a breach of data protection law. But if security was not up to the necessary standards, this could attract a fine. Or the data breach might lead to greater scrutiny, which could identify another rule that was broken and might lead to a fine.

Under the new rules applied by the General Data Protection Regulation and the UK’s Data Protection Act 2018, fines can be much higher. For example, as well as inadequate security, recent large fines have been a result of the ICO identifying poor data retention practices and lack of transparency. Breaking these rules under GDPR can result in a fine as high as four per cent of a firm’s global turnover.

A systematic approach to data retention is required under the new regime. The ICO recommends firms have a written retention policy setting out what personal data the firm holds, why it is needed and how long it needs to be held for those purposes. Once the data is no longer needed, it should be deleted or permanently rendered anonymous, so the individuals cannot be identified. ICO guidance on retention periods and setting retention periods is available here.

In terms of transparency, the GDPR requires firms to provide a detailed explanation of the personal data it collects, how it is processed and for what purposes. For firms that hold a lot of data, this can be a complex picture to present clearly. The ICO recommends that firms ‘layer’ information to help present it clearly. An overview of the data processing should be provided up front, along with some of the most impactful information, with more detail available to those who are interested in digging a little deeper. The ICO also recommends using tools like privacy ‘dashboards’ (which are starting to appear on various websites) to help people understand how their data is being used and give them more control. The ICO’s guidance to firms on transparency is available here.

More broadly, ensuring that you stay on the right side of all of the GDPR’s rules requires an appropriate governance framework. Under the GDPR’s ‘accountability principle’, firms cannot just fluke compliance; they need to be able to demonstrate that they comply. Appropriate controls across the three lines of defence will be needed. Furthermore, many firms will need to have a data protection officer to monitor and advise on personal data processing. Sitting above this, given the consequences of getting privacy and data protection wrong, firms should make sure they have appropriate senior level accountability and oversight.


Related Learning:

UK Finance are running both a workshop and free webinar on reputation risk soon:

Workshop – 5 DecemberReputation Risk: How To Identify, Measure and Manage It for The New Regulatory Reporting

Under the Conduct regime and the new era of ‘behavioural regulation’, regulators now observe how firms build and protect trust in their services. Reputation is now regarded as an essential part of the capital base that needs to be measured and reported alongside other aspects of risk in the business.

This workshop will help firms produce new indicators, report formats and management tools for reputation, exactly as the regulator expects.

This workshop will also help delegates:

  • Consider and measure the business value of trust in your firm; identifying how and where lost trust destroys value and market access, increases cost of capital, and reduces retention of staff and clients
  • Promote best practice in front-line management of reputation risk under Conduct rules, to build trust pre-emptively, sustain and protect business value
  • Assemble the techniques and tools you need to plan ahead for regulatory changes that may affect your firm: learn what your ‘social licence’ is, and why regulators now focus on it; discover new indicators for valuing reputation risk and related cost of capital, under Basel III and other reputational risk reporting
  • Assess the commercial effects of positive and negative trust on cashflow, capital, resources, markets and Board governance
  • Discover how to use reputation risk management to pre-empt Conduct enforcement risk and protect business value

Book Now
£650 (+VAT) – Members / £800 (+VAT) – Non-members)


Free Webinar – 30 OctoberReputation Risk – ‘What to do when bad news surfaces?’

Aggrieved customers, disaffected employees, regulatory or police investigations, activist shareholders, operational crises, pressure groups, or everyday media enquiries can all put at risk the reputation of a firm, its brands and its directors. Is your firm managing these risks appropriately?

In this free 60-minute webinar UK Finance will be joined by David Engel, Partner, Reputation & Information Protection at Addleshaw Goddard, and Stuart Leach at Pagefield Global Counsel to discuss:

  • How crisis events can impact reputation
  • What are the legal, PR and practical options before the story breaks, while it is running, and after the event?
  • To what extent can you control what is being said about you online? Does it matter anyway?
  • Crisis preparation and training – what can you be doing in advance to improve the prospects of weathering the storm?
  • Litigators and communicators – unnatural bedfellows or a dream team?

Book Now

GDPR – breaching the rules
Tagged on: