In Short
- Data breaches can lead to ICO enforcement, financial penalties, and reputational harm, particularly if payment card details are exposed.
- Businesses must take strong security measures, including using secure payment providers, avoiding card data storage, and limiting access.
- If a breach occurs, you may need to report it to the ICO and notify affected individuals.
Tips for Businesses
Protect payment card data by using a PCI DSS-compliant payment processor and avoiding unnecessary storage of card details. Strengthen security with strong passwords, two-factor authentication, and staff training. Regularly update software and monitor transactions for suspicious activity. Have a clear response plan in place to manage data breaches and meet legal obligations.
Data breaches can happen at any time and may have serious
consequences. A simple mistake can expose personal data and lead to
financial losses, legal action, and reputational harm. If a
personal data breach puts individuals at risk, your business may
face enforcement action, particularly if the breach results in
financial harm (for example, where their payment details or
financial data are stolen and misused). In some cases, affected
individuals may be able to bring compensation claims. This article
explores how UK data protection laws apply to personal data
breaches, the penalties businesses may face, and the risks of
breaches involving payment card data.
What Are the Maximum Financial Penalties for a GDPR Breach?
Under the UK General Data Protection Regulation ( UK GDPR) and the Data Protection Act 2018 (DPA 2018), businesses that fail to protect personal data face significant financial and legal consequences.
The Information Commissioner's Office (ICO), the regulator who enforces UK GDPR in the UK, can issue fines of up to £17.5 million or 4% of annual global turnover, whichever is higher, for the most serious breaches. The ICO may impose penalties of up to £8.7 million or 2% of annual global turnover for less severe breaches.
A breach of data protection law can also lead to contractual penalties, regulatory investigations and enforcement action, compensation claims, and loss of customer trust, which may impact your business long after the breach has been resolved.
The ICO has issued substantial fines arising from large personal data breaches, including breaches involving financial and payment card data.
Why Does Payment Card Data Raise Concerns?
Payment card data creates significant risks if unauthorised parties gain access to it—for instance, in a data breach.
Suppose a breach exposes personally identifying information (such as card details combined with names, contact details, or other linked information). In that case, you must treat it as a personal data breach under UK GDPR. Your business must assess the risks and, if necessary, report the incident to the ICO and inform affected customers.
GDPR Essentials Factsheet
This factsheet sets out how your business can become GDPR compliant.
Cybercriminals can use stolen payment card data for serious acts
such as fraud and identity theft, increasing the risk of financial
losses for affected individuals. They might sell compromised card
details on the dark web, which may lead to fraudulent transactions
impacting individuals.
Some legal uncertainty remains over whether payment card details alone qualify as personal data. A UK tribunal ruled that credit card numbers and expiry dates alone do not constitute personal data under the Data Protection Act 1998 unless the controller holds additional information linking them to an identifiable individual. This ruling did not assess the position under the UK GDPR, but the ICO has sought permission to appeal for further clarification.
ICO
Given this uncertainty, businesses should still treat payment card data cautiously and implement robust security measures. The ICO has issued notable fines against businesses resulting from data breaches that compromised information, including payment and financial data.
Regardless of the legal debate about whether card information alone is personal data, businesses should take a cautious approach and not take risks when using payment card data (particularly where it could be combined with other details to identify individuals).
The law requires companies to have appropriate security measures in place, and payment card data should always be treated with the highest level of security to prevent fraud, maintain compliance, and protect individuals from harm.
In addition to facing data protection law consequences, your business could also breach financial regulations and other applicable laws where an individual's payment card data is compromised.
How Can Your Business Reduce the Risk of Data Breaches Involving Payment Cards?
Every business has different data security requirements, and the appropriate measures your business should take will depend on factors such as the type of data you process, your payment systems, and your risk exposure.
However, there are various common steps a business may take to reduce the risk of a data breach and protect payment card data. For example, you may wish to:
- Use a secure payment provider: You can opt for a PCI DSS-compliant payment processor to handle transactions securely;
- Avoid storing card details: Do not store customer payment card information. If necessary, use strong encryption and limit access strictly;
- Use strong passwords and two-factor authentication: Protect business accounts with unique passwords and extra security steps to protect cardholder data;
- Train staff on security: Ensure employees understand how to spot phishing emails and handle customer data safely;
- Limit access to payment data: Restrict payment processing and card payment data access to trusted staff;
- Keep software updated: Regularly updating your website, payment systems, and business software may help prevent security risks;
- Monitor for unusual activity: Review payment transactions and business accounts for signs of fraud or suspicious activity; and
- Have a plan for data breaches: Know what steps to take if customer data is exposed, including notifying affected individuals and reporting to the ICO if required.
These measures are critical in helping businesses strengthen security, reduce legal risks, and protect customer trust. However, businesses should assess their own risks and apply security controls suited to their needs. Businesses should also document their security decisions and risk assessments to demonstrate compliance in the event of an investigation.
Key Takeaways
If a personal data breach occurs in your business, you may face ICO enforcement action, reputational damage, and financial penalties. You should take steps to protect payment card data and related personal information. If your business suffers a data breach that compromises payment card details, the risk to individuals can be severe, and you could face significant penalties should such data be classified as personal data. As such, you should adopt strong security measures to prevent breaches and seek legal advice if you need guidance on your data security obligations.
Frequently Asked Questions
When must a business report a data breach to the ICO?
If a breach is likely to threaten individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it.
What are the maximum fines under UK GDPR?
The ICO can fine businesses up to £17.5 million or 4% of global turnover for serious data protection failures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.