Threat of £500K Data Protection Fines from 6 April 2010: Stephanie Pritchett releases Top 10 Data Protection Compliance Tips


Data Breach Headlines

Before the credit crunch dominated business reporting, data protection and data security breaches were mainstream news. It was hard to pick up a newspaper without a front page headline about sensitive information left publicly in skips or missing laptops and memory sticks containing information about thousands of customers.

The recession may mean ‘more exciting’ headlines. It also means greater temptation for businesses to cut corners and a greater desire to exploit databases and information assets. Season with compliance cuts and there is a recipe for unmanageable and dangerous business risks.

Organisations that don't want to hit the headlines for poor data management should consider Pritchetts' Top 10 Compliance Tips set out below.

It Has Never Been Easier To Misuse Information

On average, research shows that each UK citizen has personal information stored on over 700 different databases by different organisations. Information about an individual (including name, address, DOB, credit card details, expiry date and sort code) can be sold on the information black market for just £1. A database with details about 100,000 individuals can therefore be worth £100,000 to sell.

Slick Willie Sutton, the prolific US bank robber, famously said he robbed banks “because that’s where the money is”. Are databases the new banks of the Noughties?

The theory of Moore’s Law is that computers get twice as fast ever two years. It has never been easier for organisations to store and use – or misuse – personal data they hold. Action is needed to stop the information thieves of today.

How Likely Is That Organisations Will Be Fined For Data Protection Breaches?

While it’s never been easier to process information or to be caught for breach of information law, how likely is it that Organisations will be fined?

The Justice Minister has said that:

·        The new penalties “will ensure the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles”.

·        Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent.”

While the Information Commissioner (UK regulator) has publicised his intent to adopt a ‘pragmatic and proportionate approach to issuing these penalties taking into account the organisation’s size, financial resources and industry sector, as well as the severity of the breach’, he has also stated “I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law”.

Toothless Tiger?

The Information Commissioner has previously been subject to criticism for its lack of enforcement powers. The new UK commissioner – Christopher Graham – together with his increased powers to fine, rights to spot check public sector bodies (with similar ‘dawn raid’ powers for private sector bodies likely to follow), personal criminal liability for directors and increased ICO funding mean that enforcement is set to increase.

Data Protection Legislation, one of the most expensive laws for Organisations to comply with, is here to stay. Those teeth are sharpening. Reputable Organisations don't want to be prey.

Pritchetts' Top 10 Data Protection Compliance Tips

For an Organisation to avoid being the next ‘named and shamed’ for data security breach, follow Pritchetts’ Top 10 Compliance Tips:

1. Review the Organisation’s compliance in light of the increased risks of a £500,000 penalty for breach of the Act.

2. Ensure data protection moves up the corporate compliance agenda. It must now be taken seriously at a senior level in the Organisation.

3. Health Check data protection policies and procedures – website and client facing privacy policies; data collection forms; internal data protection policies; monitoring, communications, data retention and data destruction policies, outsourcing procedures etc. – to ensure these comprehensively cover all the Organisation's data processing activities.

4. Review the Organisation's ICO notification to ensure it is accurate and up to date. Many people rely on ICO templates and renew their annual notification yearly without making changes. Failure to notify new data processing activities within 28 days is a criminal offence.

5. Have a robust subject access request procedure in place – failure to fully comply with requests for information from individuals is the top reason for complaints to the ICO.

6. Ensure marketing team practices are compliant with the Act and the Privacy Regulations (via appropriate use of customer databases, opt-ins, opt-outs, unsubscribe requests etc.)

7. Ensure all contracts with third parties who are processing data on the Organisation's behalf are in writing and contain the required data protection clauses. Pritchetts have free sample clauses (worth £500) available to readers, please contact Pritchetts at for more details.

8. Have a data security and security breach policy in place.

9. Ensure CCTV policies and signages are compliant.

10. Carry out staff data protection awareness training (see and stay abreast of legal developments in this area by signing up for free newsletters and reports from data protection experts at

Contact us for more information

Share this article