Agents who breach data requirements could be hit with penalties far greater than the £80,000 levied against London agent Life at Parliament View Limited.

The warning has come from lawyer Andrew Logan, head of regulatory at law firm Gordons, following the case.

LPVL, an ARLA firm, was penalised by the Information Commissioner’s Office after data was transferred to an outsourced firm, described as a letting transaction service.

The data was transferred without access restrictions, allowing anyone to go online to look at 18,610 customers’ personal data for a period of two years.

The data included details of bank statements, salaries, copies of passports, dates of birth and addresses of tenants and landlords.

However, the breach took place before new regulations – and the punishment regime is now far harsher.

Logan said: “LPVL can count itself lucky that this data breach occurred before the EU’s General Data Protection Regulation (GDPR) came into force last year.

“Already this month we’ve seen British Airways and Marriott Hotels being given notice by the ICO of their intention to issue fines of £183.39m and £99.2m respectively for poor performance when it comes to protecting their customers’ data, after the ICO was given greater powers under GDPR.

“If an organisation is in serious breach of GDPR – as has been ruled in these recent high profile cases – the ICO (and other regulators across Europe) can now issue a penalty notice for up to 4% of annual global turnover or €20m, whichever is higher.

“This figure was previously capped at £500,000. Although LPVL will be hit hard by the £80,000 fine, it could have been far higher under GDPR.

“It’s easy to see the financial impact this could have on a company, particularly those without the financial clout of British Airways or Marriott Hotels, and this is yet another reminder to organisations about the importance of data protection.”