Firms Face Fines for Losing Data
Small businesses could be fined up to half a million pounds if they lose confidential customer or employee information, under new penalties introduced by the Information Commissioner’s Office (ICO).
The new maximum penalty for businesses guilty of a serious data breach is 100 times greater than the one it replaces. Previously, the ICO had the power to fine just £5,000 for serious breaches of the Data Protection Act (DPA).
Announcing the increased fines, the Information Commissioner, Christopher Graham, said:
“I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law.”
A serious breach of the DPA has been defined by the ICO as one that was “likely to cause damage or distress” and was “either deliberate or negligent and the organisation failed to take reasonable steps to prevent it.”
However, Graham also pointed out that the ICO will take what it described as “a pragmatic and proportionate approach” to fines. Factors taken into account will include a business’ financial resources, sector and size, as well as the severity of the data breach.
Under the DPA, firms have a legal obligation to store data securely, make sure data held is accurate and ensure personal information is destroyed once it is no longer needed.
According to document destruction company Shred-it’s executive vice-president, Robert Guice, many small-business owners simply are not taking the necessary steps to create ongoing data security policies and practices.
“Invoices, company reports, payroll data, customer lists and even customer complaints are all highly confidential and need to be destroyed or securely stored,” he said.
For more information on data protection obligations, visit the ICO website.