UK organisations will face fines of up to £500,000 for serious breaches of the Data Protection Act under new powers given to the Information Commissioner's Office (ICO).
The powers are set to come into force on 6 April after receiving approval from the Secretary of State for Justice, Jack Straw. The size of fines will depend on the seriousness of the breach, the organisation's financial resources and the sector it serves.
Christopher Graham, Information Commissioner, says: "As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people. These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act."
Jamie Cowper, director, European marketing at data encryption firm PGP Corporation, welcomed the move, saying: "With 70% of UK firms admitting they were hit by at least one data breach last year, the ICO should have no shortage of businesses to fine. Furthermore, with the number of companies falling victim to breaches rising year on year, it's clear that more needs to be done to motivate companies with weak security strategies to shape up. A threat of a half a million pound fine is a powerful motivator."
Simon McDougall, head of privacy and data protection at Deloitte agrees: "While the largest fines may only be dealt out to larger firms for serious breaches of the Data Protection Act, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach."