Information Commissioner has now joined the ranks of modern
super-regulators who have teeth. Power to impose penalties of up to
£0.5m are expected to come in this Spring. Read more about
the implications for SMEs.
On 12 January 2010 the data protection regulator, the Information
Commissioner, issued a press release confirming the timescales and
maximum monetary amount that the Commissioner will be able to
impose as a penalty for serious breaches of the Data Protection Act
1998.
The Data Protection Act 1998 itself was amended back on 1 October
2009 to provide the framework for the new powers. Since then, the
Information Commissioner has made no secret in press releases and
statements published on its website of the fact that it proposed a
maximum penalty of £500,000. As part of the process of
establishing the penalty regime the Information Commissioner had to
prepare written guidance on how the power will be exercised, then
obtain the approval of the Secretary of State, and lay the guidance
before each House of Parliament. The press release confirms that
the guidance was laid before Parliament on 12 January, so it
appears that the £500,000 limit and the published guidance
has been approved by the Secretary of State. Timescales are still
to be confirmed but the Information Commissioner's press
release states that the power is intended to become effective on 6
April 2010.
This is important information for businesses to feed into their
compliance and risk management agendas.
In a survey of SMEs carried out by the British Standards
Institution in 2009, 20% of responded businesses admitted breaching
the Data Protection Act 1998, 50% admitted that there was no
individual in their business with specific responsibility for data
protection compliance, and 65% said they do not provide data
protection training for their staff. It does appear that data
protection compliance amongst more than half of UK SMEs is not a
priority and places them at risk of breaches occurring, and the
survey no doubt gives a rosier picture than the reality on the
ground.
The regulator's new powers undoubtedly increase the heat for
these SMEs because penalties will be rated based on the outcome for
the person who is affected by a data protection breach, not just on
the basis of whether or not the breach was deliberate or the
resources of the data controller. You can see the regulator's
final guidelines at www.ico.gov.uk.
(http://www.ico.gov.uk/)
For us in the UK it is ironic that, only the day before the
Information Commissioner's announcement, the founder and CEO of
Facebook, Mark Zuckerberg, commented that privacy is no longer a
social norm. UK law and a bevy of increasingly vocal consumer
groups would beg to differ.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.