The Information Commissioner, who oversees compliance with the Data Protection Act (DPA) in the UK, is limbering up to use his new enforcement powers.
Since 6 April, the Information Commissioner has gained the power to impose monetary penalties of up to £500,000 for serious contraventions of the DPA likely to cause substantial damage or distress. He has long made it clear that he intends to use the new power and has previously indicated that breaches such as the widely-reported HMRC data loss would have been likely to give rise to a penalty. Actual penalties will depend on issues such as the nature of the breach, the extent of damage caused and the number of people affected.
The Information Commissioner's Office has been sending out warnings that businesses should ensure that their houses are in order and come clean about any breaches to avoid being the first to receive a monetary penalty. David Smith, Deputy Information Commissioner, recently said "those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions".
Data protection specialists anticipate that the Information Commissioner will use his new powers within months as a warning to others of the risks of non-compliance. Suddenly data protection is on the board room agenda. Given the potential size of the penalties, FDs should take note!