The British Government has outlined plans this week that could see firms that suffer a data breach, being slapped with a fine of up to £500,000.
The Ministry of Justice has launched a consultation paper dubbed the “Civil monetary penalties: setting the maximum penalty”, aimed at ‘data controllers and their representative bodies.’
“The Government is proposing to introduce a maximum Civil Monetary Penalty for serious breaches of the DPA of up to £500,000,” says the consultation. “This reflects the importance that Government places on safeguarding personal data effectively and processing it responsibly and lawfully. The Information Commissioner’s Office (ICO) will exercise its discretion to assess the appropriate level of any penalty it imposes and will publish detailed guidance setting out the criteria it will use and circumstances it will take into consideration.
The Government’s thinking behind this penalty is of course to get organisations in the the UK to ensure they are fully compliant with the Data Protection Act.
While a fine of up £500,000 is sure to grab attention, it seems the consultation document does propose some discretion. It says “any financial sanction that may be imposed by the ICO must be proportionate.”
“The ICO will have regard to the financial hardship a penalty may inflict on a data controller guilty of a serious breach of the data protection principles,” says the document. It also recommends that the maximum penalty “should not be any higher than the equivalent of 10 percent of the highest annual turn over of a small company.”
It seems that any penalty money collected would be paid into a fund owned by HM Treasury.
The consultation runs until 21 December. The ICO meanwhile on Wednesday released its data breach figures, which showed that 434 organisations reported data security breaches over the past year, up from 277 the year before. More than 200 were hospitals.
“The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough.” David Smith, deputy information commissioner, is reported as saying.
“Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media,” he said.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…