New Powers for ICO for Data Breaches


The Information Commissioner’s Office (ICO) has been given the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act (DPA). The new power is granted under the Criminal Justice and Immigration Act, which recently received Royal Assent. Hitherto, the ICO could only issue an enforcement notice against an organisation that was in breach of the DPA.
David Smith, the Deputy Information Commissioner said, “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.”
There are eight Data Protection Principles with which anyone who processes personal information must comply. The data must be:
  1. Processed fairly and lawfully;
  2. Processed for limited purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate and up to date;
  5. Not kept for longer than is necessary;
  6. Processed in line with the individual’s rights;
  7. Secure; and
  8. Not transferred to other countries without adequate protection.
The new power will not apply retrospectively.
For advice on any data protection matter, please contact <<CONTACT DETAILS>>.
Partner Note
The amendments to the Criminal Justice and Immigration Bill that introduce the power can be found at

Share this article