The Information Commissioner now has a new power to impose a monetary penalty of up to £500,000 if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.
For the penalty to be imposed, the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
However, a notice of intent must be served by the Information Commissioner before the penalty is imposed. This will allow an opportunity for representations to be made.
The Information Commissioner has issued statutory guidance which gives an indication of the style of approach. A main issue for employers is likely to be where inadequate security measures or processes have been put in place allowing the theft, loss or unauthorised processing of employee data. It would be sensible to review existing processes and policies to ensure that appropriate security and preventative measures are in place and that these have been effectively communicated to employees.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.