As the new financial year commenced, the Information Commissioner was awarded fresh powers to penalise those who contravene the Data Protection Act. They can now issue penalties of up to £500,000 where previously their highest penalty was £5000.
It is expected that the larger fines will be reserved for those who share data unlawfully or retain personal data for unjust reasons. The new rules will apply to the public and private sector.
The ICO also have new powers to uncover incidents of mishandling data but at present this is only applicable to government departments. It is expected, however, that these powers will be extended across the public and private sectors in the coming years.
Lawyers from Field Fisher Waterhouse advised in a press release that firms should now be acting in preparation for these new powers coming into force.
Stewart Room, partner, commented: “Most organisations will not have taken steps to prepare themselves for the new fining regime, despite two years’ preparation time and plenty of warnings.”
Mr Room believes that firms can counteract this by setting up management steering groups. These groups should have the internal responsibility to review the firms’ data policies and processes.
He continued: “The route towards a Commissioner-led investigation always starts with an event of data mishandling,” said Room. It will be obvious that the organisation will be expected to display ‘good behaviours’ at this critical moment. Knowing what to do and doing the right thing when a security incident occurs can significantly reduce the risk of damage or distress being suffered by the victims, which can significantly reduce the risk of a fine being imposed.”