Serious data security breaches can now incur fines up to £500,000 from the Information Commissioner’s Office (ICO).
The ICO’s beefed up powers are expected to come into force on 6 April 2010 and have already been approved by Secretary of State for Justice Jack Straw.
The size of the fine will depend on the size, sector and financial health of the company. Factors such as the seriousness of the data breach, the damage and distress it could cause individuals and whether it was due to negligence or a deliberate act will be taken into account. How proactive an organisation has been to prevent such breaches will also influence the ICO’s decision.
High-profile data loss cases from the Ministry of Defence and DVLA and others have helped to raise the profile of data protection issues.
Information Commissioner Christopher Graham said that these increased penalties were designed to act as a deterrent and to encourage compliance with the Data Protection Act.
“But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law,” said Graham in an official statement.
Chris McIntosh, CEO of hardware encryption specialists Stonewood, welcomed the increased penalties, but called on the Government to do more.
“In line with stronger punishments for breaches of the DPA, there must also be a stronger message from the Government; businesses have so much bureaucracy and red tape to deal with when it comes to data compliance that it is too confusing to be effective,” said McIntosh.