Breach of the data protection peace

With the ICO rarely fining for breaches of the Data Protection Act, are businesses breaking rules as they can get away with it or is the ICO bringing about some other type of corporate telling off?

So the ICO's figures look worrying and the industry is talking up' a data compliance tsunami, but have we overlooked any fundamental facts? Yes, the number of companies handed monetary fines is low, but we must remember a financial penalty is not the only regulatory power at the ICO's disposal to bring about compliance.

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

Speaking to the organisation's press office, it appears the ICO has been in direct contact with most, if not all firms, that have acted improperly. Carrying out what it calls "informal resolutions," the ICO seems to have established its own subjectively calibrated barometer for determining which cases impinge upon data rulings enough to support the case for action.

Advertisement - Article continues below
Advertisement - Article continues below

Is it time for a re-calibration of its definition of serious?

But the ICO says it only penalises what it calls serious breaches,' so is it time for a re-calibration of its definition of serious?

"Good regulation is about getting the best result in the public interest," said the ICO. "For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

Featured Resources

Report: The State of Software Security

This annual report explores important trends in software security

Download now

A fast guide to finding your cloud solution

One size doesn't fit all in the cloud, so how do you find the best option for your business?

Download now

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Small & Medium Business Trends Report

Insights from 2,000+ business owners and leaders worldwide

Download now

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020