Breach of the data protection peace

With the ICO rarely fining for breaches of the Data Protection Act, are businesses breaking rules as they can get away with it or is the ICO bringing about some other type of corporate telling off?

So the ICO's figures look worrying and the industry is talking up' a data compliance tsunami, but have we overlooked any fundamental facts? Yes, the number of companies handed monetary fines is low, but we must remember a financial penalty is not the only regulatory power at the ICO's disposal to bring about compliance.

"Our focus as a regulator is on getting bodies to comply with the Data Protection Act," said an ICO spokesperson. "This isn't always best achieved by issuing organisations or businesses with monetary penalties."

"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally."

Speaking to the organisation's press office, it appears the ICO has been in direct contact with most, if not all firms, that have acted improperly. Carrying out what it calls "informal resolutions," the ICO seems to have established its own subjectively calibrated barometer for determining which cases impinge upon data rulings enough to support the case for action.

Is it time for a re-calibration of its definition of serious?

But the ICO says it only penalises what it calls serious breaches,' so is it time for a re-calibration of its definition of serious?

"Good regulation is about getting the best result in the public interest," said the ICO. "For a monetary penalty to be served, the Information Commissioner has to satisfy a strict set of criteria, which is set out in the Statutory Guidance."

"This guidance has been approved by the Secretary of State and laid before Parliament. It makes it clear that the Information Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress."

The ICO has further clarified, in addition, the contravention must either have been deliberate or the data controller must have known or ought to have known there was a risk it would occur and failed to take reasonable steps to prevent it.

"We will always consider the imposition of a monetary penalty where these criteria are met," said the ICO.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Most Popular

46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020