Data Protection Penalties
All UK organisations must comply with the Data Protection Act (DPA). If your organisation is found to be in breach of the DPA, not only will you incur possible loss of business and brand damage but you could be subject to a penalty from The UK Information Commissioner's Office (ICO).
Amongst its powers, the ICO can prosecute and issue fines of up to £500,000 and undertake proceedings that can lead to prison sentences.
On this page learn about different Data Protection Penalties and how they can be prevented.
On this page:
The ICO has several options when it finds an organisation in breach of the Data Protection Act:
-
Monetary penalty notices - fines of up to £500,000 for serious breaches of the DPA
-
Prosecutions - with possible prison sentences for deliberate acts of breaching the DPA
-
Undertakings - organisations have to commit to a particular course of action to improve its compliance and avoid further action from the ICO
-
Enforcement notices - organisations in breach of legislation are required to take specific steps in order to comply with the law
-
Audit - the ICO has the authority to audit government departments without consent
Monetary penalty notices
In April 2010 the ICO were granted the power to issue fines of up to £500,000 for serious DPA breaches. As the ICO clamps down on more and more organisations, the volume and amount of fines issued has rocketed:
-
2010 - 2 fines totalling £160,000
-
2011 - 7 fines totalling £541,100
-
2012 - 17 fines totalling £2,143,000
-
2013 (1 Jan to 30 April) 3 fines totalling £490,000
You can read all about the latest fines on the ICO's website
In November of 2012 the ICO fined Prudential £50,000 for breaching the DPA. The significance of this was that this was the first time the ICO had fined someone for not losing data but using it incorrectly. Complying with the DPA is not just about confidentiality, it is also about the integrity and availability of that information. Learn more about the DPA's requirements here.
So what can constitute a breach of the DPA? Here are some examples, as reported by the ICO:
-
Sending spam texts
-
Sending information to the wrong recipient
-
Confusing customer records
-
Failure to encrypt sensitive information
-
Loss of paper records
-
Not disposing of records correctly
As compliance specialists we have been helping organisations achieve and maintain DPA compliance for over 10 years. We recommend that organisations follow this standard approach to achieving DPA compliance:
-
Understand what the DPA is how it affects your business
-
Identify your current level of conformance to the DPA
-
Identify gaps and steps to achieve compliance
-
Document your DPA policies
-
Understand how to react if you suffered a data breach
-
Initiate DPA staff training
We have developed and sourced many products which will help any organisation to meet the requirement of the DPA, whatever stage you are at with your project.
The Data Protection Act 1-Day Course is a logical place for any organisation to start. The course provides an overview of the DPA and delegates will understand what is required for their organisation to become compliant.
The DPA Compliance Assessment Tool draws on core advice on DPA compliance from the UK Information Commissioner's Office, and contains a series of 16 key questions with associated recommendations and guidance that enable organisations to identify steps they need to deal with a specific issue or with a broad range of mitigation actions.
The DPA Compliance Toolkit contains all the document templates and tools that are essential for achieving compliance. The toolkit also includes guidance on how to complete these templates and what to do to ensure on-going compliance.
We also provide a comprehensive DPA bookstore. These titles have been deemed most useful by our customers: