Share this content

Data protection breach fines jump to half a million pounds

13th Jan 2010
Share this content

Careless businesses beware - The Information Commissioner's Office will be imposing much stiffer fines for data security breaches in the future.

The Information Commissioner's Office (ICO) is getting tougher over data security with the imposition of fines of up to half a million pounds for serious breaches, something which could prove costly for careless marketeers.

"The Information Commissioner’s Office (ICO) will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act," said an ICO statement. "The ICO has produced statutory guidance about how it proposes to use this new power, which has been approved by the Secretary of State for Justice, and has been laid before Parliament today."

The size of the fine will be determined after an investigation to assess the gravity of the breach and will also be based on the the size and finances of the organisation at fault, whether the breach was accidental or deliberate, and how much distress the leak of information caused.

"The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," the ICO statement said. "Factors will be taken into account including an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."

Promoting compliance

"Getting data protection right has never been more important than it is today. As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details," said Information Commissioner Christopher Graham. "When things go wrong, a security breach can cause real harm and great distress to thousands of people."

"These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

The original Act came into force in 1984. Under the most recent Act of 1998, data can only be used for the purposes for which it is collected and cannot be given to others without the consent of the individual. Everybody has the right to see information that is held about them, with the exception of crime-related data. The new rule is expected to come into force in the UK on 6 April 2010.

Jamie Cowper, director of European marketing at data encryption firm PGP Corporation, welcomed the new fines, but warned that unless UK organisations clean up their act they could find them highly costly. "With 70% of UK firms admitting they were hit by at least one data breach last year, the ICO should have no shortage of businesses to fine. Furthermore, with the number of companies falling victim to breaches rising year on year, it’s clear that more needs to be done to motivate companies with weak security strategies to shape up. A threat of a half a million pound fine is a powerful motivator.

"The cost of data breaches is already staggeringly high for UK businesses; last year the average breach cost £1.7 million, or £60 for each identity lost. If the ICO's bite turns out to be as big as its bark, this cost could exceed £2 million; a huge expense at a time when businesses and public sector bodies can ill afford to waste money.

"Organisations that want to avoid these massive financial penalties must look to implement watertight data protection strategies, employing proven technologies such as data encryption to ensure that confidential information is locked down. It is only by doing so that companies can be sure that their customers, reputations and profits are protected."


Replies (2)

Please login or register to join the discussion.

By Graham
14th Jan 2010 11:10

I am pleased that this particular Regulatory Body is getting some teeth to address the ambivalent attitude that some organisations have to the protection of Personal Information. During the years that PAOGA has been promoting Personal Information Management Services (PIMS), by enabling individuals to safely store and share their personal information with suppliers, I have often heard the excuse that "We will do something about it when we get fined."

The mutual benefits to both supplier and consumer, by allowing the individual to manage and take responsibility for the personal information that they share in order to participate in a relationship, seem obvious to me and many others. Vendor Relationship Management (VRM) is the reciprocal to organisations CRM systems providing individuals, as citizens, consumers, employees, patients, students etc., to build, maintain and share relevant information from their secure personal data silo with a record of what information they have shared with whom. Embracing and promoting this 'user driven' relationship not only reduces the costs and improves the accuracy of information for the organisation but it also addresses many of the principles that the ICO are looking to protect thereby reducing the risks of financial penalties.

TRUST will be the key to client/supplier relationships in 2010 and the best way to establish trust is to 'trust your citizens/customers/employees'.

Thanks (0)
By Neil Davey
14th Jan 2010 11:16

It's always great to hear from you Graham - and many thanks for your pearls of wisdom!

Relating to this, I'll shortly be posting the second part of my interview with Doc Searls, which delves further into vendor relationship management, and the different forms of VRM that have emerged. (For the first discussion with Doc, click here).


Thanks (0)