August 19, 2014

‘Get it right’ first time – 10 key learnings from Civil Monetary Penalties

Since April 2010, the UK’s privacy regulator, the ICO (Information Commissioner’s Office), which gives independent advice and guidance about data protection and freedom of information, has had the power to issue Civil Monetary Penalty (CMP) notices of up to £500,000 for serious breaches of the Data Protection Act (DPA).

CMPs are used as both a sanction and a deterrent against organisations or individuals who deliberately or negligently disregard data protection laws. The ICO’s aim is to promote data compliance and to improve public confidence in data security and confidentiality.

But as total fines issued to date top £6 million – how do we know if this approach has actually worked? What has the impact of CMPs been on organisations beyond the actual fine? Do CMPs really improve data protection and security compliance and encourage best practice?

In February 2014, the ICO commissioned an independent review of the impact of CMPs which seems to answer these questions with a resounding ‘Yes’!

The findings of the research clearly indicate that the penalties have had a positive impact on the way organisations look after people’s personal information.  So what can we learn from them?

Here are ten key improvements identified by some of the organisations that have experienced the sharp end of a CMP fine:
  1. Introduction of improved data protection practices and policies, along with increased staff training
  2. Data protection issues are given a higher profile within the organisation
  3. Greater senior management buy-in to complying with information rights obligations
  4. Staff awareness was raised through targeted campaigns and better communication
  5. Importance of handling data properly was made more prominent
  6. More proactive engagement with the ICO, including setting up good practice workshops
  7. Implementation of good practice audits
  8. Some completely overhauled their information security policies
  9. Increased reporting of incidents of data security breaches
  10. It was suggested that the ICO retain a portion of the CMP money and use it to help support data controllers comply with DPA laws

Interestingly, the research indicated that CMPs also had a wider impact as a useful deterrent to peer organisations which hadn’t received one themselves. On hearing about organisations that had had a CMP, other organisations reported a positive impact on how they managed their own data protection responsibilities and the importance they attached to information rights. Fear of reputational damage through bad press and increased awareness of data handling responsibilities were powerful deterrents and promoted an attitude of ‘get it right first time’ in order to avoid CMPs.

As well as providing this invaluable feedback for the ICO, and showing that CMPs are effective in achieving the overarching objective of improving data protection compliance, the research presented an opportunity for the ICO to reflect on its enforcement action, and to explore the potential for new and improved ways of applying its regulatory powers.

Organisations that had received CMPs, wanted the ICO to:
  • Be more transparent about how they worked out the fines
  • Make the ‘Notice of Intent’ to issue a CMP clearer - given the facts of each case, to be ‘reasonable and proportionate’ in their calculations
  • Clarify the interpretation of the ‘substantial damage and distress’ caused by the data breach, and take into account any mitigating factors
  • Communicate better what actually happens to the money collected via CMPs (it currently goes into a HM Treasury consolidated fund)
  • Give more support to help data controllers comply with their information rights obligations – perhaps making good practice audits compulsory
  • Raise awareness (through press releases, reports and blogs) of recent CMPs issued, as an example of what not to do
  • Publicise ‘success stories’ of how organisations issued with a CMP have turned themselves around and met their responsibilities.

The ICO continues to work towards protecting our data and ensuring good practice among data controllers.  Its proactive pursuit of greater powers to audit and punish those who do not comply with the DPA suggest that the impact on businesses and organisations of all shape and sizes across all sectors is only likely to increase in the future.

For more information on monetary penalties issued by the ICO you can find all of the details on their website

And for more general information on the Data Protection Act and how we can help your company ‘get it right first time’, check out our legislative fact sheet for some helpful tips and advice.