Principles of GDPR & What Breaches Mean for Business

The General Data Protection Regulation (GDPR) came into effect in 2018. Through outlining certain processes for handling and storing information, it provides a legal framework for organisations to keep personal data safe.

The Data Protection Act 2018 is the UK’s implementation of GDPR.

GDPR provides a legal framework for organisations to keep personal data safe

Principles of GDPR

GDPR outlines certain data protection principles. All organisations must ensure that all the information they handle is:

  • Used fairly, lawfully, and transparently; and only for explicitly specified purposes.
  • Used only in a way that’s relevant and necessary.
  • Accurate and updated whenever necessary.
  • Kept only for as long as is necessary. Individuals also have a “right to be forgotten”, meaning they have a say in how long you can store information about them.
  • Properly handled so as to ensure appropriate security. This must include protections against unauthorised access or sharing, along with safeguards against loss, destruction, or damage.

GDPR Breach Fines

There are severe penalties for any organisation found to be in breach of GDPR principles. The maximum penalty can be €20 million (around £17.5 million), or 4% of an organisation’s global revenue – whichever amount is greater.

Examples of GDPR Breaches

Some of the biggest GDPR fines so far have included:

  • Google – Fined £43.2 million in 2019 for failing to make its consumer data easily accessible. Google also failed to gain adequate consent from users to harness their data for targeted advertising – a clear breach of the principle that data must only be used for explicitly specified purposes.
  • H&M – Fined £32.1 million in 2020 when found guilty of secretly recording return to work interviews and using the data to profile employees.
  • British Airways – Fined £20 million in 2020 following a major data breach. Due to the breach, hackers gained access to the personal data of around 400,000 British Airways customers, including their credit card information. This is a breach of the GDPR principle that makes organisations wholly responsible for ensuring the security and integrity of any sensitive data they store.

Yet not all GDPR breaches result in such hefty fines. The UK’s Information Commissioner’s Office (ICO) may instead issue warnings and reprimands or impose bans on certain data management processes. They can also order organisations to rectify, restrict, or erase certain data.

How to Avoid GDPR Breaches

Are your data management processes in line with GDPR’s data protection principles? If you’ve not done so already, you should arrange for a specialist audit to ensure that the way you gather, store, and manage customer data is in line with GDPR and the UK’s Data Protection Act.

It’s also a good idea to design and implement a cyber security policy for your business. Among other things, this will help you outline policies and procedures for how you manage sensitive data, along with plans for how you’ll respond in the event of a data breach to limit the damage.

Finally, you should invest in designated cyber insurance. While a cyber insurance policy cannot itself make a data breach less likely, it can provide essential cover for any costs and other damages you may incur as a result of a breach.

Get more information about how cyber insurance works, what it covers, and to get a free no-obligation quote in minutes.

If you have any questions or would like to discuss your options please contact our Tapoly team at, call our help line on +44(0)2078460108 or try our chat on our website.