New ICO powers come into force today
The Information Commissioner’s Office (ICO) gains new powers today, April 6, to enforce fines of up to £500,000 on companies that break the Data Protection Act.
The level of fine will vary according to the measures taken by the company to prevent a data breach and the nature of the breach itself.
KPMG anticipates that the ICO will quickly look for big name companies to target with its beefed up powers and has come up with some suggestions to keep the right side of the law on data privacy.
Encrypt your data. While in decline, KPMG points out that 20% of all incidents are caused by a failure to encrypt sensitive data. Organisations should take care to encrypt not just laptops but also desktops.
Check out third parties. KPMG estimated that a third of the 490 million people affected by data losses since 2005 involved cases where the loss was caused by a third party, normally a supplier. However, it is the data owner that will be pursued by the regulators, so it’s vital to look beyond simply having a security clause in a contract and actively confirm what that means in practice. If something then goes wrong, the data owners can prove that they did everything in their power to comply with regulations.
Offshore contracts. Offshoring or outsourcing relationships need to be carefully examined, particularly if data is offshored to countries where data value is not so highly prized. Even if there are processes in place, they may still fail because of this mismatch in appreciation of data value which may result in their response to a problem not being as prompt or thorough as the company or regulator would like.
Deal with data loss quickly. If the worst happens, companies are likely to incur higher fines if they don’t recognise the severity of the loss, are tardy about reporting it, don’t conduct a through investigation, assess the impact on individuals involved or act quickly to correct the weakness.
Beware the regulator. With its new powers, the ICO will be keen to flex its muscles and demonstrate how seriously it takes data breaches. Companies should ensure they have done all they can to identify and correct problems.
Chris McIntosh, CEO of hardware encryption firm Stonewood, welcomed the ICO’s powers, but called for action from government.
In line with stronger punishments for breaches of the DPA, there must also be a stronger message from the Government; businesses have so much bureaucracy and red tape to deal with when it comes to data compliance that it is too confusing to be effective. Government needs to provide simple, straight forward legislation regarding the protection of personal data through encryption, as it is the only way to make sure that if data is lost or stolen, it cannot be misused if it gets into the wrong hands, said McIntosh.