After a long campaign, the Information Commissioner’s Office – the regulator in charge of enforcing data protection laws in the UK – is about to get their wish. They won’t have to jump through various hoops to sanction organisations that are careless with people’s data. Instead, based on two statutory instruments being brought into force, the ICO will be able to fine organisations up to £500,000 if they discover a serious breach of the Data Protection Act. The breach must be of a kind likely to cause substantial damage or distress, and either the organisation must have deliberately breached the Act or it should have known of the risk and the likely substantial damage or distress but still failed to take reasonable steps to prevent it. The ICO has issued guidance as to how high it would make the penalties. The ICO would consider a number of factors, including:
- How serious the breach was.
- How likely damage was.
- Whether the breach was deliberate or negligent.
- What steps the organisation had taken to safeguard the data.
- The organisation’s resources and size.
Meanwhile, in a separate development, in response to the ICO’s continued calls for jail terms for unscrupulous people who unlawfully trade in personal data, the Government is consulting on that.
The Information Commissioner, Christopher Graham, claims that data protection has never been more important, with the amount of data collected and stored about us and the great harm and distress that it can cause when security breaches occur.