New Fines for Data Protection Breaches

Since 6th April this year, the Information Commissioner has had the power to fine organisations for significant breaches of the data protection act. Prior to this, the Information Commissioner did not have the power to impose fines on organisations and had to use the other enforcement powers available to him. This is a significant development for the enforcement of data protection laws in the UK and the maximum fine is £500,000 per breach.

This new power has focussed the attention of many companies on the status of their data protection compliance.

Although the new power has not been exercised yet, the first fines are very likely to be for a data security breach such as the loss of an unencrypted USB stick or CD Rom containing personal data. Although security breaches tend to be one of the main breaches against which we have seen the Information Commissioner take enforcement action over the past two years, it is important for companies to be aware of the fact that breaches of any of the other data protection principles can give rise to fines if the breach could or does harm a individual.

The recent enforcement action consists mainly of undertakings entered between the Information Commissioner and the company in breach.

Comments are closed.