Handling Personal Information?

Stay on the right side of the UK Data Protection Act 2018 and avoid steep penalties for non compliance

Names, Addresses, Mobile No’s, Bank Account details
Individuals, Tradesmen, Professionals, Companies, Public Bodies and Councils
It’s not just large Corporations, Google and Facebook!

GDPR can be complex and time consuming to comply with
We can handle all your GDPR Issues
Relax we are here to offer you a helping hand
Find Out How

Meeting the UK Data Protection Act 2018 Regulations

The UK Data Protection Act 2018 (Incorporating The GDPR) is a compliance law intended to strengthen data protection for individuals across the EU. The DPA replaces the 1995 data protection directive and changes the way organisations must handle the personal data / information of EU residents.

The DPA will impact every entity that holds or uses personal information of EU residents regardless of whether this information is hosted within or outside of the EU.

The new Law has introduced widespread changes to current law and will greatly increase financial sanctions for non-compliance (up to 4% of annual worldwide turnover for groups of companies).

The Law has been enforced since 25th May 2018 and organisations are required to implement all the necessary changes to their systems and operations to meet the new compliance rules. With a greater emphasis on transparency and accountability for the processing and protection of data and how organisations demonstrate their compliance, the DPA should not solely be viewed as an information security issue but a fundamental business and governance challenge.

Data Privacy
We can help!

52% of Businesses are not GDPR compliant

Adherence to the GDPR is not optional and should be adopted, verbatim by each EU country; there shall be no country specific interpretations. According to a recent survey of senior business leaders, many UK business are still unsure when it comes to the application of the Data Protection Act (GDPR) in their organisation. But despite its regulatory impact the DPA should also be viewed by all businesses as a benchmark of quality. In a competitive market place where customer loyalty and retention is key, organisations that demonstrate compliance with the DPA are more likely to maintain the trust, respect and loyalty of their customers.

Scary but true

GDPR Stats

Data Protection Authorities across the EU not just the UK have received thousands of complaints and breach notifications, and the first fines, penalties and sanctions are being imposed. Registration fees fund the Information Commissioners Office (ICO) whilst all other fines and penalties flow straight to HM Treasury!

Public Opinion
Nearly half (48%) of U.K. adults expressed plans to activate new rights over their personal data as a result of GDPR.
Fifty-eight percent of U.K. consumers said they worry that a company might sell their personal information to other companies.
Forty-three percent of U.K. consumers said they want companies that don’t follow data protection rules to pay bigger fines.
ICO Stats
Increase in Data Protection Complaints since 2018
Increase in Data Breaches Reported to the ICO since 2018
Fines Issued to Non-Compliant Companies by the ICO in 2018

ICO Fees & Fines

Data Protection Fee

All organisations, companies and sole traders that process personal data must payan annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350. The money collected from the data protection fee funds the ICO’s work to uphold information rights such as investigations into data breaches and complaints, our popular advice line, and guidance and resources for organisations to help them understand and comply with their data protection obligations. 

Micro Organisations
Maximum turnover of £632,000 or no more than 10 members of staff
ICO Fee: £40
Max Fine: £400
Maximum turnover of £36million or no more than 250 members of staff.
ICO Fee: £60
Max Fine: £600
Large Organisations.
Those not meeting the employment or turnover criteria of Tiers 1 or 2.
ICO Fee: £2,900
Max Fine: £4,350


Data Protection Fines

Fines for non compliance are shown below - Not complying with the Data Protection Act can also put the viability of your business and the future of your company at serious risk. Do you really want to be the only one who doesn’t comply with a Law which is mandatory in the whole European Union? If we add to all this any claims made by users affected by your infraction or possible complaints from any corporate or economic operator, believe us: flouting the regulation will end up affecting you more than you could ever imagine. And, make no mistake: it won’t be worth it.

Tier 1 Fines
Fines of up to £9million or 2% of annual global turnover can be issued for infringements of articles:
  • 8  (conditions for children’s consent);
  • 11 (processing that doesn’t require identification);
  • 25–39 (general obligations of processors and controllers);
  • 42 (certification); and
  • 43 (certification bodies).
Tier 2 Fines
Fines of up to £18million or 4% of annual global turnover can be issued for infringements of articles:
  • 5 (data processing principles);
  • 6 (lawfulness of processing);
  • 7 (conditions for consent);
  • 9 (processing of special categories of data);
  • 12–22 (data subjects’ rights); and
  • 44–49 (data transfers to third countries or international organisations).
Want to find out more? Contact Us Today


COntact us now

Are you prepared in the following areas of the Data Protection Act 2018 (GDPR)?

You must have a good awareness of the following:
Awareness / Training

It is vital that decision makers and key people in your organisation are aware of and understand the impact that The Data Protection Act 2018 (Inc GDPR) will have on the business and employees.

CCTV Domestic - Business

If your CCTV system captures images of people outside the boundary of your business property the Data Protection Act 2018 will apply to you.

Communicating Privacy Information

When you collect personal information, you have to give people certain information in return, your identity, how the information is used, explain the lawful bases for processing the information, retention periods and that individuals have the right to complain to the ICO.

Data Breaches

Procedures should be adopted to effectively detect, report and investigate a personal data breach. Depending on the type of breach, you are required to notify the ICO and the individuals effected.

Data Limitation (Retention)

You must not keep personal information for longer than is necessary. If the business no longer needs the information the individuals has the right to erasure (deletion).

Data Storage (Including the Cloud)

The safe storage and access of information is vital for Data Protection compliance. This applies to all systems employed, laptops and all mobile devices used by the firm.

Data Subject Access Requests

A request can be made to any employee in the organisation and not necessarily in the format you wish. The Organisation will have one calendar month to comply and usually cannot charge for this service.

Individual Rights

Individuals have increased rights regarding how their information is held and used. They now have a right of access to this information. It is imperative that your business understands these rights and how to recognise and handle such requests from individuals.

International Business (Post Brexit)

Those businesses that trade with the European Union will have to designate a suitable representative based in the EU. To handle all necessary liaison relating to GDPR compliance.

Lawful Basis for processing personal data

You must (mandatory) have a valid lawful basis in order to process personal information, which basis is most appropriate to use will depend on your purpose and relationship with the individual.

Personal information held

It is mandatory that you document what personal information you hold, where it comes from and who you share it with. GDPR (Art 30) requires you to maintain records of your processing activities.

Special Categories (Personal Data)

Such as Racial, Political, Religious, Genetic data, Trade Union membership, Sex or Sexual Orientation should only be processed under certain circumstances.

Our Process to Compliancy

We follow a three stage logical approach to compliance
Stage 1
Initial Business Examination
We assess your current position against the requirements of the Data Protection Act 2018 (GDPR) legislation, our experts will undertake a thorough analysis of the personal information you handle and business processes you use in the collection and processing of that information.
Stage 2
Business Analysis & Assessment
We will carry out a data mapping exercise and gap analysis of your organisation against the requirements of the DPA 2018. We will review your personal information storage and management processes to determine any present risks which may affect your organisations ability to comply with the legislation. The analysis will be undertaken with key members of staff across your business.
Stage 3
Compliance with Legislation
Using the findings and recommendations from the examinations and assessments used in stages 1 and 2, we will prepare a report highlighting, immediate and future activities, including drafting policies and documentation that you will need to show compliance and limit the likelihood of any significant fines being levied.

Our Client Reviews

"From our first meeting to the delivery of all policies, documentation and improvements to business procedures, the process was very simple and painless. After the initial information gathering meetings TWI handled all the production, answered all our questions we had clearly and promptly and importantly to ourselves kept to their plan and timeframe for compliance "completion".

"We did utilise TWI for further training and general awareness for all staff of the business, vital in relation to subject access requests"

MLR Career Step, Professional Recruitment

2nd Review goes here

Talk to us about Compliance

Contact us to get started!

TWI is an experienced provider of the Data Protection Act 2018 (GDPR) and (PECR) compliance services. Experienced in dealing with SME's and from Charities to large FTSE 100 Organisations.
At TWI we give honest, straight forward and independent advice that helps customers navigate an increasingly complex and regulated digital business world.     

We provide a clear business plan to compliance, with a flexible and cost-effective approach that suits all sizes of organisation. With almost 30 years’ experience at the heart of the rapidly evolving business environment, TWI has established a position as a leading advisor to high profile clients from the private & public sectors, including retail, professional, financial and leisure organisations.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

Call us

You can reach us on weekdays on: 
07857 342875

eMail us

Mail us directly on our email: info@twigdpr.co.uk


Connect with us directly on our LinkedIn channel: @twigdpr.co.uk


It is vital that decision makers and key people in your organisation are aware of and understand the impact that The Data Protection Act 2018 (GDPR) will have on the business and employees.