Data Compliance Breach Firms Face Fines Of Up To £500,000

From quickly scribbled names on a sticky note to full confidential reports, Shropshire businesses have been urged to check they comply with data protection law or face fines of up to £500,000.

Under the Data Protection Act 1998 (DPA), companies are legally bound to ensure that any personal data is correctly disposed of when no longer required.

Failing to do so could result in a complaint to the Information Commissioner’s Office (ICO) and possible legal action.

Diane Gardner, managing director of WN Security Shredding in Shifnal, said it was surprisingly easy for businesses to fall foul of data compliance legislation, whether they were a small one-man band or a major multinational organisation.

And she said it was not just the risk of financial penalties, with brand damage and loss of reputation also enough to send a company under.

“Everything from a Post-It note with a name and telephone number to client surveys and customer reports must be disposed of under the DPA,” she said.

“Every single person in the UK has a legal right to ask at any point what information you hold on them, whether you still hold it and if not, how it was destroyed.

“If your response does not meet data protection laws, a complaint could be made to the Information Commissioner’s Office and that could result in legal action and a fine anywhere up to £500,000.

“Not only that but with breaches published on the ICO’s website for anyone to see, the damage to your business’s reputation and brand could be irreversible and even enough to send an organisation under.”

From January to October this year(2014) alone, a total of almost £1 million in fines has been levied by the ICO on organisations in England, Wales and Northern Ireland for data protection breaches.

These include £180,000 against the Ministry of Justice for serious failings in how prisons in England and Wales held prisoners’ personal data and £100,000 against Kent Police after highly sensitive information, including copies of police interview tapes, were left in the basement of a former police station.

Even charities are not exempt from the law, with the British Pregnancy Advisory Service hit with a £200,000 fine in March after it was found to have unlawfully retained information entered on its website for a callback service.

“The bottom line is that the DPA applies to all of us and not only do you have to ensure you correctly destroy any information you can no longer legally hold, you must also provide an audit trail to prove it has been done,” Mrs Gardner added.

WN Security Shredding celebrated its 25th year in business this year and not only securely shreds all confidential waste it collects, but the shredded paper goes on to be recycled into kitchen roll and toilet paper.

“When the DPA came into force in 1998, we were quite proud to find that we had been doing what was required even before it became law, including issuing all our customers with a certificate of destruction,” said Mrs Gardner.

For more information about the legal requirements for any business or organisation under the Data Protection Act 1998, visit the Information Commissioner’s Office website at


Pete White Pete White

Love Shrewsbury editor and chief developer at The Web Orchard, find out more on

Read More from Pete White