ARTICLE
19 March 2025

Maximum Penalties for Data Breaches and Payment Card Data: Legal Considerations

L
LegalVision

Contributor

LegalVision logo
LegalVision, a commercial law firm founded in 2012, combines legal expertise, technology, and operational skills to revolutionize legal services in Australia, New Zealand, and the UK. Beginning as an online legal documents business, LegalVision transitioned to an incorporated legal practice in 2014, and in 2019 introduced a membership model offering unlimited access to lawyers. Expanding internationally in 2021 and 2022, LegalVision aims to provide cost-effective, quality legal services to businesses globally.
Explore Firm Details
Protect payment card data by using a PCI DSS-compliant payment processor and avoiding storage of card details.
United Kingdom Privacy
Sej Lamba
Your Author LinkedIn Connections

In Short

  • Data breaches can lead to ICO enforcement, financial penalties, and reputational harm, particularly if payment card details are exposed.
  • Businesses must take strong security measures, including using secure payment providers, avoiding card data storage, and limiting access.
  • If a breach occurs, you may need to report it to the ICO and notify affected individuals.

Tips for Businesses

Protect payment card data by using a PCI DSS-compliant payment processor and avoiding unnecessary storage of card details. Strengthen security with strong passwords, two-factor authentication, and staff training. Regularly update software and monitor transactions for suspicious activity. Have a clear response plan in place to manage data breaches and meet legal obligations.


Data breaches can happen at any time and may have serious consequences. A simple mistake can expose personal data and lead to financial losses, legal action, and reputational harm. If a personal data breach puts individuals at risk, your business may face enforcement action, particularly if the breach results in financial harm (for example, where their payment details or financial data are stolen and misused). In some cases, affected individuals may be able to bring compensation claims. This article explores how UK data protection laws apply to personal data breaches, the penalties businesses may face, and the risks of breaches involving payment card data.

What Are the Maximum Financial Penalties for a GDPR Breach? 

Under the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018  (DPA 2018), businesses that fail to protect personal data face  significant financial and legal consequences.

The Information Commissioner's Office (ICO), the regulator who enforces UK GDPR in the UK, can issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for the most serious breaches. The ICO may impose penalties of up to £8.7 million or 2% of annual global turnover for less severe breaches.

A breach of data protection law can also lead to contractual penalties, regulatory investigations and enforcement action, compensation claims, and loss of customer trust, which may impact your business long after the breach has been resolved.

The ICO has issued substantial fines arising from large personal data breaches, including breaches involving financial and payment card data.

Why Does Payment Card Data Raise Concerns?

Payment card data creates significant risks if unauthorised parties gain access to it—for instance, in a data breach. 

Suppose a breach exposes personally identifying information (such as card details combined with names, contact details, or other linked information). In that case, you must treat it as a personal data breach under UK GDPR. Your business must assess the risks and, if necessary, report the incident to the ICO and inform affected customers.


GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now


Cybercriminals can use stolen payment card data for serious acts such as fraud and identity theft, increasing the risk of financial losses for affected individuals. They might sell compromised card details on the dark web, which may lead to fraudulent transactions impacting individuals.

Some legal uncertainty remains over whether payment card details alone qualify as personal data. A UK tribunal ruled that credit card numbers and expiry dates alone do not constitute personal data under the Data Protection Act 1998 unless the controller holds additional information linking them to an identifiable individual. This ruling did not assess the position under the UK GDPR, but the ICO has sought permission to appeal for further clarification.

ICO 

Given this uncertainty, businesses should still treat payment card data cautiously and implement robust security measures. The ICO has  issued notable fines against businesses resulting from data breaches that compromised information, including payment and financial data.

Regardless of the legal debate about whether card information alone is personal data, businesses should take a cautious approach and not take risks when using payment card data (particularly where it could be combined with other details to identify individuals).

The law requires companies to have appropriate security measures in place, and payment card data should always be treated with the highest level of security to prevent fraud, maintain compliance, and protect individuals from harm.

In addition to facing data protection law consequences, your business could also breach financial regulations and other applicable laws where an individual's payment card data is compromised.

How Can Your Business Reduce the Risk of Data Breaches Involving Payment Cards?

Every business has different data security requirements, and the appropriate measures your business should take will depend on factors such as the type of data you process, your payment systems, and your risk exposure.

However, there are various common steps a business may take to reduce the risk of a data breach and protect payment card data. For example, you may wish to:

  • Use a secure payment provider:  You can opt for a PCI DSS-compliant payment processor to handle transactions securely;
  • Avoid storing card details: Do not store customer payment card information. If necessary, use strong encryption and limit access strictly;
  • Use strong passwords and two-factor authentication:  Protect business accounts with unique passwords and extra security steps to protect cardholder data;
  • Train staff on security:  Ensure employees understand how to spot phishing emails and handle customer data safely;
  • Limit access to payment data:  Restrict payment processing and card payment data access to trusted staff;
  • Keep software updated:  Regularly updating your website, payment systems, and business software may help prevent security risks;
  • Monitor for unusual activity: Review payment transactions and business accounts for signs of fraud or suspicious activity; and
  • Have a plan for data breaches:  Know what steps to take if customer data is exposed, including notifying affected individuals and reporting to the ICO if required.

These measures are critical in helping businesses strengthen security, reduce legal risks, and protect customer trust. However, businesses should assess their own risks and apply security controls suited to their needs. Businesses should also document their security decisions and risk assessments to demonstrate compliance in the event of an investigation.

Key Takeaways

If a personal data breach occurs in your business, you may face ICO enforcement action, reputational damage, and financial penalties. You should take steps to protect payment card data and related personal information. If your business suffers a data breach that compromises payment card details, the risk to individuals can be severe, and you could face significant penalties should such data be classified as personal data. As such, you should adopt strong security measures to prevent breaches and seek legal advice if you need guidance on your data security obligations. 

Frequently Asked Questions

When must a business report a data breach to the ICO?

If a breach is likely to threaten individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it.

What are the maximum fines under UK GDPR?

The ICO can fine businesses up to £17.5 million or 4% of global turnover for serious data protection failures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sej Lamba
Sej Lamba
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More