Guest blog: Orlagh Kelly - Avoiding GDPR fines of up to £17million

23 November 2017

Much attention is being given to General Data Protection Regulations (GDPR) which is new data protection legislation which will be enforced in the UK from 25th May 2018.

This blog from Briefed is designed to give barristers and chambers relevant, realistic and effective guidance.

Over the coming months we will cover many topics which will increase your understanding of how you can be compliant with the new legislation, and protect your practice.

Orlagh Kelly 


Until 25 May 2018 the Information Commissioner's Office (ICO) has the power to impose a fine of up to £500,000 in relation to a data breach. However, with the introduction of GDPR, from May 2018 this fine can be up to £17,000,000 or up to 4% of a business's turnover, whichever is higher. But in what circumstances do the ICO actually impose financial penalties?

The Information Commissioner has a statutory power to impose a financial penalty on a self-employed barrister if it is satisfied that:

There has been a serious breach of one or more of the data protection principles by the barrister and the breach was likely to cause substantial damage or distress.

The power to impose a financial penalty only applies if:

The breach was deliberate or

The barrister knew (or should have known) that there was a risk of a breach which was likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it.

The ICO will take account of the circumstances of each case when deciding the amount of any financial penalty.

As a barrister, you will be personally responsible for this fine, not your Chambers.
This fine is not indemnified under standard professional indemnity insurance.

Real Life Data Breach

In Lewisham, a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on. The files, which were later recovered from the rail company's lost property office, included GP and police reports and allegations of sexual abuse and neglect. Imposing a fine of £70,000 for this breach the ICO said:

"It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by people treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.


A simple mistake such as leaving papers on a train or sending an email to the wrong person is sufficient to incur a fine from the ICO. Barristers and chambers need to take a proactive approach to protecting client data, and particular be able to demonstrate, in the event of a breach, that they have taken all reasonable measures to be GDPR compliant.

Orlagh Kelly was called to the Bar in 2003. She is the CEO of Briefed GDPR, a specialist training and consultancy agency which offers bespoke compliance GDPR compliance training and products for barristers and chambers.