Breach of the data protection peace

With the ICO rarely fining for breaches of the Data Protection Act, are businesses breaking rules as they can get away with it or is the ICO bringing about some other type of corporate telling off?

So the ICO's figures look worrying and the industry is talking up' a data compliance tsunami, but have we overlooked any fundamental facts? Yes, the number of companies handed monetary fines is low, but we must remember a financial penalty is not the only regulatory power at the ICO's disposal to bring about compliance.

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

Speaking to the organisation's press office, it appears the ICO has been in direct contact with most, if not all firms, that have acted improperly. Carrying out what it calls "informal resolutions," the ICO seems to have established its own subjectively calibrated barometer for determining which cases impinge upon data rulings enough to support the case for action.

Is it time for a re-calibration of its definition of serious?

But the ICO says it only penalises what it calls serious breaches,' so is it time for a re-calibration of its definition of serious?

"Good regulation is about getting the best result in the public interest," said the ICO. "For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021