Data Protection Act (DPA) and EU GDPR Penalties

Compliance with data protection legislation is not just a matter of best practice; the penalties for non-compliance are serious – and are about to become a lot worse.

DPA penalties and the ICO

The Data Protection Act 1998 (DPA) is enforced by the Information Commissioner's Office (ICO), which has several options when it finds an organisation to be in breach of the act:

Monetary penalty notices: Fines of up to £500,000 for serious breaches of the DPA.
Prosecutions: Including possible prison sentences for deliberately breaching the DPA.
Undertakings: Organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO.
Enforcement notices: Organisations in breach of legislation are required to take specific steps in order to comply with the law.
Audit: The ICO has the authority to audit government departments without consent.

Monetary penalty notices

The ICO continues to clamp down on non-compliant organisations, as demonstrated by the number and value of fines issued for DPA-related offences over the last few years:

2010: 2 fines totalling £160,000
2011: 7 fines totalling £541,100
2012: 17 fines totalling £2,143,000
2013: 14 fines totalling £1,520,000
2014: 9 fines totalling £668,500
2015: 18 fines totalling £2,031,250
2016: 21 fines totalling £2,155,500
2017 January: 2 fines totalling £170,000

You can read about the latest fines on the ICO's website >>

Increased penalties under the GDPR

When the EU General Data Protection Regulation (GDPR) is enforced from 25 May 2018, breached organisations will find the fines they face increasing dramatically.

From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.

For many businesses, the threat of insolvency or even closure as a result of GDPR penalties will soon be very real.

Fifteen months is not long to bring an organisation – especially a larger one – to a state of compliance with the new law, which is why it’s essential to prepare now.

Free EU GDPR green paper

Our green paper, EU General Data Protection Regulation – A Compliance Guide, provides a detailed overview of the Regulation, the key areas of change, and the critical areas organisations need to be aware of when preparing for compliance.

Download our free green paper now >>

How ISO 27001 can help you comply with data protection law

The international standard for information security management, ISO 27001, encapsulates the information security elements of the majority of global privacy regulations – including Principle 7 of the Data Protection Act – by providing a comprehensive framework for developing, implementing and maintaining an independently auditable information security management system (ISMS).

Article 42 of the GDPR sets out requirements for “data protection certification mechanisms” and “data protection seals and marks” as a means of demonstrating compliance with the Regulation. The ICO is currently developing its own Privacy Seal, which it hopes to launch later in 2016. It’s not yet known how this will relate to the GDPR’s certification requirements.

While privacy seals and specific PII-focused management system standards (such as ISO/IEC 27018 and BS 10012, the personal information management (PIMS) standard) will undoubtedly become a part of demonstrating GDPR compliance in due course, intelligent organisations will realise that data security should not be deferred.

ISO 27001 will help them protect their data assets and meet their compliance objectives now. An ISO 27001-compliant ISMS is a risk-based approach to information security management that addresses the specific security threats an organisation faces, covering people, processes and technology.

Accredited certification to ISO 27001 is recognised the world over as the hallmark of best-practice information security management, and demonstrates to customers, stakeholders and staff that an organisation takes its data security responsibilities seriously. The requirements for privacy seals – many of which will likely be covered by the Standard – can then be incorporated into the wider management system as they become available.

For more information on ISO 27001, click here >>

Approaching to DPA and GDPR compliance

IT Governance has over a decade's experience helping organisations the world over to build integrated management systems that achieve multiple compliance certificates.

As data protection compliance specialists, we recommend that organisations follow this standard approach to DPA/GDPR compliance:

Understand what the DPA/GDPR is and how it affects your business;
Identify your current level of conformance to the DPA/GDPR;
Identify gaps and take steps to achieve compliance;
Review the efficacy of your information security management system (ISMS) against an internationally accepted standard such as ISO 27001;
Document your DPA/GDPR and information security policies;
Understand how to react if you suffer a data breach;
Initiate DPA/GDPR staff awareness training;
Undertake information security staff awareness training.

DPA and GDPR solutions

We have developed and sourced a wide range of products to help organisations meet the requirements of the DPA and GDPR, whatever stage they may have reached in their compliance project.

The Data Protection Act Foundation Course provides an overview of the DPA, after which delegates will understand what is required for their organisation to become compliant.
The DPA Compliance Toolkit contains all the document templates and tools essential for achieving compliance. It also includes guidance on how to complete these templates and what to do to ensure ongoing compliance.
The DPA Compliance with BS 10012 Toolkit provides templates and model documents for those implementing a personal information management system (PIMS) according to British Standard BS 10012.
The Certified EU GDPR Foundation training course offers a solid introduction to the European General Data Protection Regulation, and provide a practical understanding of the implications and legal requirements of the regulation.
The Certified EU GDPR Practitioner training course helps delegates fulfil the role of the data protection officer (DPO) under the GDPR, and covers the Regulation in depth, including implementation requirements, the necessary policies and processes, and important elements of effective data security management.
The EU GDPR Documentation Toolkit contains a full set of policies and procedures enabling your organisation to comply with the EU GDPR, these templates are fully customisable and significantly reduce the burden of developing the necessary documents to achieve legal compliance.

We have a range of advisory and consultancy services to help organisations prepare for and adapt to the GDPR; from understanding the GDPR compliance position and developing a remediation roadmap through to implementing a best-fit data compliance framework.