The Cost of Getting Data Protection Wrong

The Cost of Getting Data Protection Wrong

Posted 20 April, 2022 at 15:40

Author Kevin Hawkins on behalf of H2 Cyber Risk Advisory Services Ltd

As I was about to start writing this blog, the news about Funky Pidgeon starting coming in.  They have announced that they suffered a cyber-attack last week and have temporarily suspended trading via its website.  The WHSmith-owned retailer took its systems offline as a precautionary measure after detecting the issue, and has temporarily suspended orders while it works to restore services.

The retailer claims that no customer payment data, such as credit card or bank account details, had been placed at risk, as such details are processed via third parties and are securely encrypted. There is also no evidence to suggest that any customer passwords were compromised and they are investigating whether customers' personal data, such as names, email accounts, addresses and personalised gift design, was accessed.

Funky Pigeon have informed the relevant authorities and regulators, and says it will continue to review its protocols based on what it learned from the incident.  A comment to be expected from a cyberattack victim.

It raises some questions for Funky Pidgeon of course, such as how will this effect customer and supplier confidence?  How much will it damage the brand and what will be the reputational fall out?  All of that before remediation costs and any penalties from the ICO kick in.

Of course, that’s all speculation at the moment and until Funky Pidgeon and the ICO have completed their investigations, much remains unknown.  But it brings me back to the subject I was going to write about, the penalties of a data breach.

The Data Protection Act 2018, based as it very much is on GDPR, is a very different beast from its predecessor.  The ICO now has powers to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing.  Such penalties are intended to be effective and proportionate, rather than punitive, and are judged on a case-by-case basis.

These penalties come in two flavours, firstly the higher maximum amount, which is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Ouch!

Then there is the standard maximum, which applies If there are infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.  Still Ouch!

In practice though, the ICO is not there to put you out of business and the chances of a fine of anywhere near the maximum, being applied to an SME, is low but not impossible.

It is, for most SMEs, about doing what is reasonable to prevent a data breach.  That will include having the right policies and procedures, known to all staff and rolled out.  Don’t play lip service to this, you will be found out.  It is important to be aware of the threat and take the necessary actions to prevent breaches, as well as regulate the rules of reacting already in the situation of a suspected incident. The next step will be to create a procedure in case a data breach is confirmed.

Lack of adequate data security is an important basis for imposing fines.  Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need? 

In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law.  Have you got that covered with an adequate policy and process in place and understood?

It is also vital to cooperate with the ICO.  First thing, if you think you’ve had a breach, don’t try and cover it up, but get on the phone to the ICO help line and get some advice from them.  They are helpful, and will guide you along the way.  They even have an electronic form on their website which you can use to report breaches, which has all the subject headings for the information that you will need to provide.

It is often the sorts of SMEs and small organisations who see data protection as a one-off box-ticking exercise are the sorts of organisations that often come unstuck. Far too often we come across SMEs who have downloaded some policies from the internet, without actually understanding them, top and tail them and think that’ll do.  Wrong.

Taking responsibility for the personal data you collect, store and use will help you to avoid a fine.

Since 1 January 2022, the ICO has issued 25 penalty notices to a wide variety of companies.  They include £48K for a finance company, and £98K for a solicitors office.  How do you think your company could cope with fines like that?

You can’t wait for something to go wrong before you take action.  You need to demonstrate up front that you are taking compliance seriously or you could find yourself on the end of a punitive punishment that might cause your growth plans to stutter to a halt, or perhaps a fine at a level that you cannot survive.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services, including e-learning courses for staff which provide an introduction to cyber awareness and data protection.


To learn more about the services we provide please click here

Alternatively, please feel free to give us a call or email or book a session on our Calendly link:

T: 0845 5443742

M: 07702 019060

E: [email protected]

Trust H2 – Making sure your information is secure

What our customers say about us


“We originally engaged H2 to examine our liability under GDPR and devise risk managed policies and processes to ensure we met the requirements.  Their Cyber Maturity Assessment is certainly and eye opener and H2s approach, unique in our experience of IT service companies, demonstrated clearly that we had some issues to overcome.  They were patient in providing services at our own pace and at price points which we were happy with, and were comfortable working with our current IT provider, enhancing their services and products, and plugging gaps that they do not cover.  I have no hesitation in recommending H2 to other companies who need such services.”

Lisa Williamson, Operations Manager, Savage Group

More from H2 Cyber Risk Advisory Services Ltd

The KillNet Group

The KillNet Group

26 May 2022
The New Normal

The New Normal

17 May 2022


02 May 2022
Consequences of a Cyber-Attack

Consequences of a Cyber-Attack

28 April 2022
Card image cap

H2 Cyber Risk Advisory Services Ltd


Profile Feed
Established in 2016, H2 Cyber Risk Advisory Services is a specialist cyber security and data protection company that focuses on providing innovative and robust security solutions to the UK SME sector. Its founders, Kevin Hawkins and Bob Hay, are amongst the best qualified and most experienced...


Press Releases