IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Breach of the data protection peace

With the ICO rarely fining for breaches of the Data Protection Act, are businesses breaking rules as they can get away with it or is the ICO bringing about some other type of corporate telling off?

So the ICO's figures look worrying and the industry is talking up' a data compliance tsunami, but have we overlooked any fundamental facts? Yes, the number of companies handed monetary fines is low, but we must remember a financial penalty is not the only regulatory power at the ICO's disposal to bring about compliance.

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

Speaking to the organisation's press office, it appears the ICO has been in direct contact with most, if not all firms, that have acted improperly. Carrying out what it calls "informal resolutions," the ICO seems to have established its own subjectively calibrated barometer for determining which cases impinge upon data rulings enough to support the case for action.

Is it time for a re-calibration of its definition of serious?

But the ICO says it only penalises what it calls serious breaches,' so is it time for a re-calibration of its definition of serious?

"Good regulation is about getting the best result in the public interest," said the ICO. "For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022