It is now 10 years since the Data Protection Act 1998 (the “Act”) came into force. The initial fanfare certainly made businesses take note (not least because of the need to register with the Commissioner) and take at least some steps to ensure compliance.
It is now 10 years since the Data Protection Act 1998 (the “Act”) came into force. The initial fanfare certainly made businesses take note (not least because of the need to register with the Commissioner) and take at least some steps to ensure compliance. But the business world has changed. Consumer behaviour too has changed. The online revolution is now well- established and the volume of personal data handled by most businesses has increased dramatically. But is the Act taken seriously enough?
Monetary Penalty Notice
The Information Commissioner now has power to issue a “monetary penalty notice” (“MPN”) to a business handling personal data in breach of the Act’s requirements. MPNs are the result of significant lobbying, after some high-profile cases of insecure handling of data (lost laptops, disclosed blacklists etc) and can be issued for up to £500,000 in any given case. Not every breach of the Act will justify a MPN, and any that is issued can be for any sum up to the £500,000. Before issuing one, the Commissioner must be satisfied that: the business has seriously contravened the principles; the contravention was likely to cause substantial damage or distress; and either the contravention was deliberate or the business knew or ought to have known that contravention was a risk and (crucially) that the business still failed to take reasonable steps to prevent it happening.
What are the risks?
This is about risk management. Review your own processes for handling personal data. When did you last assess the risks and put in place appropriate procedures? Have you adequately trained your staff? If you outsource data management (e.g. via remote servers or a fully-managed IT service) do you have adequate contractual protection with those third-party providers? Do your staff routinely work on laptops out of the office? Is personal data encrypted? What password policy do you use? How regularly do you “cleanse” your records and destroy personal data? When did you last review the data protection notice you give your customers?
Damage to reputation
These are important issues. Do not assume that MPNs will only be aimed at the largest businesses. Any business, of any size, can cause significant damage/distress if they mis-handle personal data. It only takes one aggrieved customer or even a disgruntled employee to make a complaint to the Commissioner. Remember too that we are talking here about the potential for serious reputational damage. Paying a fine is not the only pain your business could suffer.
For more information contact Robert Goddard