Check out the courses we offer

Legal Implications of GDPR Non-Compliance

Legal Implications of GDPR Non-Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a data protection law designed to protect personal data and privacy. The regulation governs how organisations handle personal data. It was introduced by the European Union (EU) in 2018 and after Brexit, the UK retained the GDPR framework but adapted it into the UK GDPR, which works alongside the Data Protection Act 2018.

GDPR focuses on seven main principles:

  1. Lawfulness, fairness and transparency: Organisations must process data legally, fairly and in a transparent way.
  2. Purpose limitation: Data should only be collected for specified, explicit and legitimate purposes.
  3. Data minimisation: Only necessary data should be collected (no excessive data collection).
  4. Accuracy: Organisations must ensure that personal data is accurate and up to date.
  5. Storage limitation: Data should not be kept longer than necessary.
  6. Integrity and confidentiality: Data must be kept secure to protect against unauthorised access or breaches.
  7. Accountability: Organisations must demonstrate compliance with GDPR.

The GDPR is responsible for regulating how personal data, such as names, email addresses and IP addresses is collected, stored and used. Under the GDPR, businesses must get clear and informed consent to collect and process personal data and organisations must have safeguards to protect data from breaches.

Under the GDPRM, individuals have control over their personal data. This includes:

  • Right to be informed: Individuals must be told how their data is being used.
  • Right of access: People can request to see the personal data held about them.
  • Right to rectification: Individuals can request corrections to inaccurate data.
  • Right to erasure: Individuals can request deletion of their data.
  • Right to restrict processing: People can ask for their data to be temporarily restricted.
  • Right to data portability: Data must be provided in a machine-readable format if requested.
  • Right to object: Individuals can refuse the processing of their data in certain situations.
  • Rights related to automated decision-making: People can challenge decisions made without human involvement (e.g., automated loan approvals and other decisions made by AI).

The UK GDPR is overseen by the Information Commissioner’s Office (ICO).

Any business or organisation that processes personal data has to comply with GDPR. This includes:

  • Businesses and corporations
  • Government agencies
  • Non-profits
  • Online platforms
  • Social media companies

Not only do UK companies have to comply with the UK GDPR but any foreign organisation that processes the data of UK residents, offers goods or services to individuals in the UK or monitors the behaviour of individuals located in the UK must also comply.

Under the GDPR, organisations must have a legal reason to collect and process personal data. The six lawful bases are:

  1. Consent: The individual has given clear, informed and specific consent. Consent must be opt-in (no pre-ticked boxes). Organisations must also provide a way for individuals to withdraw consent at any time.
  2. Contract: Processing is necessary for a contract (e.g., an online purchase).
  3. Legal obligation: Processing is required by law (e.g., tax records).
  4. Vital interests: Processing is necessary to protect life (e.g., emergency medical records).
  5. Public task: Processing is necessary for official government duties (e.g., police investigations).
  6. Legitimate interests: Processing is necessary for the organisation’s legitimate interests unless overridden by individual rights.

It may also be necessary for an organisation to appoint a Data Protection Officer (DPO). A DPO may be required if an organisation handles large-scale personal data processing, processes sensitive data (e.g., health records) or is a public authority. DPOs are in charge of ensuring compliance, training employees and liaising with the Information Commissioner’s Office (ICO).

It is also important for organisations to comply with data security and breach reporting regulations. This includes:

  • Implementing strong security measures (e.g., encryption and secure access).
  • Regularly testing security systems and employee awareness.
  • Reporting data breaches to the ICO within 72 hours.
  • Notifying affected individuals if the breach poses a high risk to their rights.

The GDPR also covers record-keeping and documentation. Organisations must keep detailed records of:

  • What personal data they collect.
  • Why and how data is processed.
  • Data retention and security measures.
  • Any third parties (e.g., cloud storage providers) that process data.

The GDPR also covers international data transfers. Organisations are not allowed to send personal data outside the UK unless the destination country has sufficient data protection laws and the UK government has approved the transfer method.

Reporting data breaches

How to Stay UK GDPR Compliant

It is important that companies have strong data protection measures and respect individuals’ privacy rights to stay compliant. This includes:

What is your lawful basis for data processing?

Before collecting personal data, make sure you know the legal reason for processing it. You must have one of the six lawful bases mentioned above (consent, contract, legal obligation, vital interests, public tasks or legitimate interests). It is important to document which lawful basis is relevant to every single data processing activity. If the lawful basis is consent, the consent must be opt-in only, (not a pre-ticked box), easy to recognise and easy to withdraw.

Have you reviewed and updated your Privacy Policy?

It is important that your Privacy Policy explains how and why you collect personal data. Your Privacy Policy should include:

  • What data is being collected?
  • Why it is being collected (lawful basis)?
  • How long is the data being stored for?
  • Who is the data shared with (e.g., third parties)?
  • What are the rights of the user/customers (e.g., access, deletion and correction)?
  • Contact details for data queries and complaints.

The Privacy Policy should be easy to find (e.g., clearly displayed on the company website). It should also use clear and simple language and avoid legal jargon.

If you rely on consent to process data, it is important that the consent meets UK GDPR requirements: Consent should be:

  • Freely given (e.g., not forced or misleading).
  • Specific and informed, ensuring that users know exactly what they are agreeing to.
  • Unambiguous, with clear, affirmative action (e.g., ticking an ‘I Agree’ box).
  • Easy to withdraw: Users must be able to withdraw consent at any time.

Organisations must keep a record of when and how consent was given. They should also offer an easy way for users to withdraw content (e.g., an ‘Unsubscribe’ link in an email).

Have data security measures been strengthened?

To prevent data breaches, organisations must implement strong security controls. This could be technical security measures, such as:

  • Encrypting sensitive data (especially when storing or transmitting it).
  • Using multi-factor authentication (MFA) for account access.
  • Regularly updating software and applying security patches.Restricting access to personal data.
  • Conducting regular cybersecurity risk assessments.

Security measures can also be organisational, for example:

  • Training employees on data protection best practices.
  • Ensuring third-party vendors also comply with the UK GDPR.
  • Implementing data retention policies (e.g., deleting data when it is no longer needed).

Practical examples of strengthened data security measures include the use of firewalls and intrusion detection systems, using strong passwords that are changed regularly and having a data breach response plan in place.

Have you implemented procedures for handling data subject requests?

Individuals have rights under the UK GDPR, such as the right to access, correct, delete or move their data. Any requests must be responded to within one month. To ensure compliance, it is recommended that organisations set up an internal process to handle requests efficiently, train employees on how to recognise and respond to data subject requests and ensure that no fees are charged for these requests.

Are you keeping detailed records of data processing activities?

The UK GDPR requires businesses to document how they handle personal data. Organisations should maintain a record of processing activities and schedule annual record reviews, to ensure accuracy and compliance.

Are all data breaches reported within 72 hours?

If a data breach occurs (e.g., a hacking or accidental data leak), organisations must:

  • Notify the ICO within 72 hours if there is a risk to individuals.
  • Inform affected individuals if the breach is serious.
  • Keep records of all breaches, even minor ones.

As well as a data breach response plan in place, it is also important to regularly test your incident report procedures to ensure they are effective.

Have you checked if any third-party companies are also compliant?

If an organisation uses third-party services (such as cloud storage or marketing platforms), the third party must also comply with the UK GDPR. Organisation should:

  • Check contracts with vendors to ensure they meet the GDPR standards.
  • Use Data Processing Agreements (DPAs) when working with third parties.
  • Only work with GDPR-compliant providers.

Have you organised regular GDPR audits and employee training?

Ongoing compliance requires continuous monitoring and training. This could include:

  • Conducting quarterly or annual GDPR compliance audits.
  • Training employees on data protection policies and security.
  • Updating policies based on new regulations or changes in business practices.
consent to process data

Failing to comply with UK GDPR can lead to severe legal and financial consequences, including hefty fines, lawsuits, reputational damage and operational restrictions. Below are the main risks of non-compliance:

Financial penalties

Failure to comply with UK GDPR can result in severe legal and financial consequences for businesses and organisations. One of the most significant risks is financial penalties. If you are found to be non-compliant, the Information Commissioner’s Office (ICO) can issue fines of up to:

  • £17.5 million or 4% of a company’s global annual turnover, whichever is higher, for serious violations.
  • £8.7 million or 2% of global turnover for less severe breaches (e.g., failure to maintain proper records).

Not being compliant can also result in legal action. Individuals can take legal action and sue organisations if they believe their data protection rights have been violated. For example:

  • If their privacy rights have been breached (e.g., unauthorised data sharing).
  • If they have been denied access to their personal data.
  • If they experienced emotional distress or financial losses because of data misuse or breaches.

Consequences of data breaches

If a company doesn’t properly protect personal data and personal data is compromised, the organisation is obligated to report the incident to the ICO within 72 hours. It may also be necessary to notify affected individuals. Not following these procedures can result in financial penalties and regulatory investigations. Companies that don’t implement effective security measures to protect personal data may face extra scrutiny from regulatory bodies. In some cases, the ICO has ordered companies to stop processing personal data altogether, which can severely impact business operations. This can have a negative effect on the organisation.

Damage to the organisation’s reputation

Reputational damage is another possible consequence of GDPR violations. If an organisation is found to have mishandled personal data, they could lose the trust of their customers, experience negative media coverage and notice a decline in business. Clients, business partners and third-party vendors may also reconsider their relationships with non-compliant companies in case they are also affected.

Third-party liabilities and contract termination

Another risk comes from third-party liabilities. Organisations that work with external companies, such as cloud storage providers or marketing agencies, are also required to ensure these third parties comply with GDPR. If a vendor doesn’t follow the regulations, the organisation that collected the data may still be held responsible. Non-compliance can also lead to contracts being terminated and can significantly affect the business.

Third-party liabilities and contract termination

Previous Cases

Several high-profile companies have faced significant fines and legal consequences for failing to comply with the GDPR. Below are some of the most well-known cases of GDPR violations:

British Airways: £20 million fine (2020)

In 2018, British Airways (BA) had a huge data breach where hackers accessed the personal and financial details of over 400,000 customers. The breach was caused by poor security measures that allowed attackers to divert customer traffic to a fraudulent website. They were then able to steal sensitive information, including payment details, names and addresses. British Airways didn’t become aware of the breach for two months.

The ICO investigated and found that BA didn’t have sufficient security measures to protect their customers and was not using methods such as multi-factor authenticity. They originally wanted BA to be fined £183 million but later reduced it to £20 million as a result of the airline’s cooperation and the financial impact of the COVID-19 pandemic.

Marriott Hotels: £18.4 million fine (2020)

Marriott International suffered a data breach affecting 339 million guests worldwide, including seven million UK customers. The breach happened because of a cyberattack on Starwood Hotels and Resorts Worldwide in 2014. Marriott bought Starwood Hotels in 2016, however, they failed to identify and secure the compromised data and the breach was not detected until 2018.

The ICO ruled that Marriott did not take adequate security steps to prevent the attack and failed to protect millions of customers. Personal data, including names, email addresses, phone numbers and passport information were affected. They fined the company £18.4 million.

Google: €50 million fine (2019)

CNIL, the data protection authority in France, fined Google €50 million for lack of transparency and improper consent processes. The company was accused of making it difficult for users to find essential information about how their data was collected and processed.

Google was also found to be using a default opt-in mechanism for personalised ads, which did not meet the GDPR’s requirements regarding transparency, providing adequate information and gaining valid consent for personalised advertising.

H&M: €35.3 million fine (2020)

H&M was fined €35.3 million in Germany after it was discovered that the company illegally monitored the private lives of several hundred of its employees. H&M was found to be collecting their employees’ personal data unnecessarily, including information about family issues, religious beliefs and health conditions. This data was stored without proper consent and used for workplace management decisions, violating GDPR’s data protection principles.

TikTok: £12.7 million fine (2023)

TikTok was fined £12.7 million by the UK’s ICO for misusing children’s personal data. The platform allowed up to 1.4 million children from the UK under the age of 13 to use the service without proper parental consent, violating GDPR’s rules on processing children’s data.

The ICO found that TikTok did not work hard enough to check users’ ages and remove underage accounts, which put children’s personal data at risk They also found that even though concerns were raised internally by senior TikTok employees, not enough was done to remove children from the platform.

Meta (Facebook): €1.2 billion fine (2023)

Meta (Facebook’s parent company) received the largest GDPR fine ever, €1.2 billion, for illegally transferring EU users’ data to the US without proper safeguards. The European Data Protection Board ruled that the way Meta handled personal data violated the GDPR and that European users of Facebook were not protected against US government surveillance, particularly because the US had insufficient checks in place to protect personal information, particularly compared to Europe. The fine was issued by Ireland’s Data Protection Commission (DPC) and Meta was ordered to suspend data transfers and bring its practices in line with the GDPR.

business cpd courses

Looking for Business courses?

Complete your next CPD course with us in just a few hours.

Learn more

About the author

Photo of author

Nicole Murphy

Nicole graduated with a First-Class Honours degree in Psychology in 2013. She works as a writer and editor and tries to combine all her passions - writing, education, and psychology. Outside of work, Nicole loves to travel, go to the beach, and drink a lot of coffee! She is currently training to climb Machu Picchu in Peru.

Similar posts

What is Media Literacy?

What is Media Literacy?

Sexual harassment: Employers responsibilities

Sexual Harassment Employers responsibilities

Legal Implications of GDPR Non-Compliance

Legal Implications of GDPR Non-Compliance

Fire Drills in Schools

Fire Drills in Schools

© CPD Online College Ltd 2025