Data Protection & Cyber Security

Full range of service for all types of companies in Great Britain
RODO picture 3

About us

Responsible for that service is 

Agata Mazur

– Qualified European Lawyer on the list of the District Chamber (OIRP) Pz – 4676

– Registered ICO number: ZB528665

– Co-creator of the data source GDPRHub as a reporter of the national jurisdiction: Great Britain and Poland

with the team.

Frequently Asked Questions

Check below the answer to common questions:

What exactly is personal data?

This is any information on the basis of which we can identify a natural person, e.g. Name and surname,  NIN, address of residence, health data, image, Computer IP address, etc.

What personal data is sensitive data?

Sensitive data is personal data revealing information such us:

- racial or ethnic origin,
- political opinions, religious or ideological beliefs,
- trade-union membership
- genetic data and biometric data,
- health related data, sexuality or sexual orientation of a natural person.

The processing of sensitive data is only allowed in specific cases and with more restrictive obligations.

Do I have any obligations if I run just a small online shop in the UK?

Of course - everyone who runs a business - even the smallest entrepreneur or charity organisation is subject to the obligation to protect personal data.

Only those who process personal data for personal or household purposes do not have to comply with the rules of the GDPR.

In a nutshell, you need to have policies and procedures, training for yourself and your staff, and protect personal data kept online and offline.

What is the Information Commissioner's Office (ICO)?

The Information Commissioner's Office (ICO) - an institution supervising the correct application of personal data protection law in the UK.

This institution was established by The Data Protection Act 2018 (entered into force on May 25, 2018).

This piece of legislation also updated and replaced the previous UK Data Protection Act 1998.

What is a Data Protection License?

Some businesses and organisations in the UK are required to pay for an annual licence to process personal data - "Data Protection License".

Fees of £40 a year for small and medium-sized businesses, and the obligation to pay it depends on what type of business you run (over 30 different types must pay a licence) and what personal data you process (processing sensitive data - you are always obliged to pay for a licence - even if you only have CCTV on your premises.

The penalty fees for not complying with this obligation depends on the size of the entity, for example, for a small entity whose licence fee is £40 per year, that penalty fee is £400.

Who needs a EU/UK Representative?

After December 31, 2020, legal entities in the UK processing personal data of EU members are subject to Art. 27 of the GDPR, providing for non-EU organisations:

- the obligation to have your EU-Representative in one of EU country for the purpose of protecting personal data of people from the EU (it can be a branch of a company, a natural person or a legal person),


- if the NON-EU entity processes personal data of EU members occasionally - the possibility of exemption from this obligation, if it is able to demonstrate a document confirming it (e.g. our Post-Audit Report).

For entities that are not UK entities - the same duty has also been introduced in England.
Entities from the European Union and from outside its area need to appoint their UK-Representative for contacts with the ICO and data UK residents, or have a document on the basis of which the entity from outside the UK is exempt from this obligation (e.g. our Post-Audit Report ).

What are the most common reasons for a company to be fined in the UK?

  • No ICO licence
  • Lack of consent for data processing taken properly from data subject
  • Unclear Privacy Policy - for example without specification what legal basis justifying data processing
  • Lack of a clear definition of the processing time - a common entry is: processing until consent is withdrawn
  • No risk analysis - when processing sensitive data (DPIA)
  • Avoiding contact with the data subject after its request
  • Documents with personal data stored unattended

What penalty can be imposed on a company in the UK by an ICO?

The maximum fine an ICO can impose is £17.5m or 4% of the company's annual global turnover - whichever is higher.

In determining the amount of the fine, the ICO will consider a number of factors, including: the nature, severity and duration of the infringement; the number of victims and the quality of the damage they suffered; whether the breach was intentional or negligent; whether appropriate action has been taken to mitigate the damage.

The biggest penalties imposed in the UK are:

British Airways - £20 million; Marriott Hotels - £18.4 million; Clearview AI - £7.5 million; Ticketmaster - £1.25 million; We Buy Any Car - £200,000.

Am I responsible only for ICO?

Any company can be sued for damages for breaching someone's personal information.

In order to claim compensation, it is enough that the individual was stressed about the breach of their personal data.

The company may be released from the liability to pay compensation if it proves that it is not at fault for the event that led to the infringement and thus the damage - PRESUMPTION OF FAULT (e.g. it presents company documentation, staff training, security sofware and other measures etc.).

It is also important that as a business owner, you are responsible for your violations as well as for your staff and even external collaborators (e.g. your accountant or your marketing person).


Question about GDPR - might be worth up to 17.8 million pounds for UK company

What else we can arrange for you?

It is very important for your company, that you and your employees always have legal software, antivirus, firewall and protection against cyber attacks.

However, because in our time cyber treat risk is very high – more and more businesses use cybersecurity and data breach business insurance.

If you want to know what kind of solution we can offer you in this matter – contact us on email, phone or book our free online consultation.

European Union sign

Data Leak Prevention Software

European Union sign

Anti-Virus Software

European Union sign

Cyber Security Insurance

European Union sign

Data Breach Insurance



You have probably noticed, that from some time now ther is less amount of spam in your email inbox, and the numbers of necessary clicks – while you surf the internet – increased, such as consent to “cookies” or “privacy policies”.

All this is due to the provisions governing the protection of personal data UK GDPR.

If you look at the statistics  – the awareness of personal data protection rights in the UK is one of the highest in Europe.

Increasingly, companies are also trying to act in accordance with the regulations in this area, especially since for full compliance with the law, it is enough to perform only 7 steps
(1 – trace the data flow; 2 – specify the legal basis for processing, obtain consent; 3 – develop the required documentation ; 4 – train the staff; 5 – register in the ICO; 6 – keep the required records; 7 – monitor data protection, implement the rights of entities, protect the website against cyber attacks).

Customers in the UK aware of their rights
Companies in the UK - recorded a cyber attack in the last year
Companies in the UK - still not compliant with the UK GDPR
Scroll to Top
Cookie Consent with Real Cookie Banner