As the issue of the first Monetary Penalty Notice (MPN) under the Data Protection Act 1998 (the DPA) draws closer, organisations have a short time to review their data protection compliance before they are potentially at risk of a fine.
The Information Commissioner (the Commissioner) has a new power to fine up to £500,000 for serious data protection breaches which is expected to come into force on 6 April 2010.
An organisation which can demonstrate it took “reasonable [preventative] steps” despite committing a serious data protection breach could have a lower fine issued or even be exempt from a fine.
The Commissioner has published statutory guidance on how he will use his power to issue MPNs (the Guidance). The Guidance has an important role as a compliance checklist for prudent organisations wishing to review their practices and procedures and make essential adjustments ahead of April.
To avoid receiving a MPN, a data controller should consider the following:
- Make an effort – and be able to demonstrate it – to understand the risks of handling personal data, eg conduct a risk assessment
- Pay proportionately more attention to processing involving sensitive data and/or large numbers of individuals
- Have appropriate policies, procedures and practices relevant to serious contraventions which might occur and establish clear lines of responsibility
- Implement guidance or codes of practice from the Commissioner or others relevant to serious contraventions of the DPA by your organisation
- Act and learn the lessons from past warnings or previous incidents (and be able to provide evidence of this). The effectiveness of MPNs as a data privacy compliance tool will depend mainly on the Commissioner’s exercise of his discretion. The Guidance provides some hints but ultimately we will have to wait and see how things develop.