August 19, 2014
Since April 2010, the UK’s privacy regulator, the ICO (Information Commissioner’s Office), which gives independent advice and guidance about data protection and freedom of information, has had the power to issue Civil Monetary Penalty (CMP) notices of up to £500,000 for serious breaches of the Data Protection Act (DPA).
CMPs are used as both a sanction and a deterrent against organisations or individuals who deliberately or negligently disregard data protection laws. The ICO’s aim is to promote data compliance and to improve public confidence in data security and confidentiality.
But as total fines issued to date top £6 million – how do we know if this approach has actually worked? What has the impact of CMPs been on organisations beyond the actual fine? Do CMPs really improve data protection and security compliance and encourage best practice?
In February 2014, the ICO commissioned an independent review of the impact of CMPs which seems to answer these questions with a resounding ‘Yes’!
The findings of the research clearly indicate that the penalties have had a positive impact on the way organisations look after people’s personal information. So what can we learn from them?
Interestingly, the research indicated that CMPs also had a wider impact as a useful deterrent to peer organisations which hadn’t received one themselves. On hearing about organisations that had had a CMP, other organisations reported a positive impact on how they managed their own data protection responsibilities and the importance they attached to information rights. Fear of reputational damage through bad press and increased awareness of data handling responsibilities were powerful deterrents and promoted an attitude of ‘get it right first time’ in order to avoid CMPs.
As well as providing this invaluable feedback for the ICO, and showing that CMPs are effective in achieving the overarching objective of improving data protection compliance, the research presented an opportunity for the ICO to reflect on its enforcement action, and to explore the potential for new and improved ways of applying its regulatory powers.
The ICO continues to work towards protecting our data and ensuring good practice among data controllers. Its proactive pursuit of greater powers to audit and punish those who do not comply with the DPA suggest that the impact on businesses and organisations of all shape and sizes across all sectors is only likely to increase in the future.
For more information on monetary penalties issued by the ICO you can find all of the details on their website.
And for more general information on the Data Protection Act and how we can help your company ‘get it right first time’, check out our legislative fact sheet for some helpful tips and advice.