Organisations within the UK are required to comply with the DPA (Data Protection Act) or face fines from the ICO (Information Commissioner’s Office).
To date, the ICO has issued penalties to organisations amounting to more than £6 million because of their poor information security practices.
Here are the top 3 fines issued by the ICO within the last 12 months:
- Prodial Ltd fined £350,000
In the largest fine ever issued by the ICO, lead generation firm Prodial Ltd was held responsible for over 46 million automated nuisance calls in “one of the worst cases of cold calling”. Over 1,000 people complained about receiving recorded messages relating to PPI claims. The firm has since gone into liquidation.
- The Crown Prosecution Service fined £200,000
The CPS was faced with a hefty fine after laptops containing videos of police interviews were stolen from a private film studio. They involved 43 victims and witnesses relating to 31 investigations. The police videos were sent to a Manchester-based film company to edit so that they could be used in criminal proceedings, but the film studio was burgled and the laptops were not encrypted.
- Home Energy & Lifestyle Management Ltd (HELM) fined £200,000
Green energy company HELM was fined after it deliberately broke marketing call regulations, making over 6 million automated calls offering ‘free’ solar panels. The ICO received 242 complaints. What’s worse is that the company in question is part of the government’s Green Deal initiative, and later admitted that it didn’t know what the rules of the DPA actually were.
Avoid fines from the ICO
For some small and medium-sized firms, fines of this nature can close the business down.
Currently, anyone who processes personal information must comply with the eight principles of the DPA, but there is no detailed specification of what this entails, which can make it difficult to know what you have to do.
IT Governance’s DPA Compliance Toolkit contains all the key documents needed to ensure compliance.
It includes a number of templates, including: Data Protection Policy, Fair Processing Notice, Guidelines for laptop hard drive encryption, staff induction and much more.
Coming soon: the GDPR
The GDPR will come into force on 25 May 2018, imposing stringent data security requirements on all organisations that process or handle data of EU residents. Any organisation that fails to meet these requirements will be faced with fines of up to 4% of their annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
Your organisation will likely be investigated by a supervisory authority (which will almost certainly be the ICO in the UK) and you will be tasked with proving what you had done to prevent the breach.
Even though the UK has decided to leave the EU, the GDPR will likely be applicable to UK organisations. Until the UK invokes Article 50, UK organisations must fully comply with its laws until the Brexit negotiations and process are completed. Plus, the ICO was at the forefront of the GDPR’s development, so it’s very likely that the current UK DPA will be updated to reflect the more rigorous requirements of the GDPR.
To help ensure compliance, we have developed the EU GDPR Documentation Toolkit, which provides all the critical documents your organisation will need to ensure compliance with the new regulations, including documents covering Data Protection Policy, DPO requirements, Privacy Impact Assessments, Incident Response and Breach Reporting.