Starting in April, companies that violate UK’s Data Protection Act 1998 risk a maximum penalty of £500,000. Guidance has been published on when the fine may be imposed, the steps that the Information Commissioner’s Office (“ICO”) will take in imposing the monetary penalty, as well as examples of what constitutes a violation. When considering whether an organization has violated the law, the ICO will objectively take into account the circumstances, the seriousness of the contravention, if there was substantial damage or distress as a result, whether the violation was deliberate, whether the organization knew or ought to have known, and what reasonable steps it took to avoid the violation. Additional factors to consider will include the organization’s financial resources, sector, and size, and the severity of the data breach to warrant that penalties are fair and not harsh.
TIP: The UK Information Commissioner has signalled a toughening-up of its stance in relation to violations of the Data Protection Act. Companies in the UK should review their policies and confirm their compliance, including that data processing is relevant and not excessive to the purposes for which the data was collected, that data is not kept for longer than necessary, that data is secured, and that data is not transferred to other countries without “adequate protection,” except in certain circumstances.