Companies Face Stiff Penalty For Data Breaches


Companies in the UK that suffer a data breach may run the risk of being fined up to £500,000, according to government plans announced this week.

The British Government has outlined plans this week that could see firms that suffer a data breach, being slapped with a fine of up to £500,000.

The Ministry of Justice has launched a consultation paper dubbed the “Civil monetary penalties: setting the maximum penalty”, aimed at ‘data controllers and their representative bodies.’

“The Government is proposing to introduce a maximum Civil Monetary Penalty for serious breaches of the DPA of up to £500,000,” says the consultation. “This reflects the importance that Government places on safeguarding personal data effectively and processing it responsibly and lawfully. The Information Commissioner’s Office (ICO) will exercise its discretion to assess the appropriate level of any penalty it imposes and will publish detailed guidance setting out the criteria it will use and circumstances it will take into consideration.

The Government’s thinking behind this penalty is of course to get organisations in the the UK to ensure they are fully compliant with the Data Protection Act.

While a fine of up £500,000 is sure to grab attention, it seems the consultation document does propose some discretion. It says “any financial sanction that may be imposed by the ICO must be proportionate.”


“The ICO will have regard to the financial hardship a penalty may inflict on a data controller guilty of a serious breach of the data protection principles,” says the document. It also recommends that the maximum penalty “should not be any higher than the equivalent of 10 percent of the highest annual turn over of a small company.”

It seems that any penalty money collected would be paid into a fund owned by HM Treasury.

The consultation runs until 21 December. The ICO meanwhile on Wednesday released its data breach figures, which showed that 434 organisations reported data security breaches over the past year, up from 277 the year before. More than 200 were hospitals.

“The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough.” David Smith, deputy information commissioner, is reported as saying.

“Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media,” he said.

Author: Tom Jowitt
Click to read the authors bio  Click to hide the authors bio