Data Breach Headlines
Before the credit crunch dominated business reporting, data protection and data security breaches were mainstream news. It was hard to pick up a newspaper without a front page headline about sensitive information left publicly in skips or missing laptops and memory sticks containing information about thousands of customers.
The recession may mean ‘more exciting’ headlines. It also means greater temptation for businesses to cut corners and a greater desire to exploit databases and information assets. Season with compliance cuts and there is a recipe for unmanageable and dangerous business risks.
Organisations that don't want to hit the headlines for poor data management should consider Pritchetts' Top 10 Compliance Tips set out below.
It Has Never Been Easier To Misuse Information
On average, research shows that each
Slick Willie Sutton, the prolific
The theory of
How Likely Is That Organisations Will Be Fined For Data Protection Breaches?
While it’s never been easier to process information or to be caught for breach of information law, how likely is it that Organisations will be fined?
The Justice Minister has said that:
· The new penalties “will ensure the Information Commissioner is able to impose robust sanctions on those who commit serious contraventions of the data protection principles”.
· “Most data controllers do comply with the principles but since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all that we can to prevent non-compliance. Penalties of up to £500,000 will act as a strong deterrent.”
While the Information Commissioner (UK regulator) has publicised his intent to adopt a ‘pragmatic and proportionate approach to issuing these penalties taking into account the organisation’s size, financial resources and industry sector, as well as the severity of the breach’, he has also stated “I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law”.
The Information Commissioner has previously been subject to criticism for its lack of enforcement powers. The new UK commissioner – Christopher Graham – together with his increased powers to fine, rights to spot check public sector bodies (with similar ‘dawn raid’ powers for private sector bodies likely to follow), personal criminal liability for directors and increased ICO funding mean that enforcement is set to increase.
Data Protection Legislation, one of the most expensive laws for Organisations to comply with, is here to stay. Those teeth are sharpening. Reputable Organisations don't want to be prey.
Pritchetts' Top 10 Data Protection Compliance Tips
For an Organisation to avoid being the next ‘named and shamed’ for data security breach, follow Pritchetts’ Top 10 Compliance Tips:
1. Review the Organisation’s compliance in light of the increased risks of a £500,000 penalty for breach of the Act.
2. Ensure data protection moves up the corporate compliance agenda. It must now be taken seriously at a senior level in the Organisation.
3. Health Check data protection policies and procedures – website and client facing privacy policies; data collection forms; internal data protection policies; monitoring, communications, data retention and data destruction policies, outsourcing procedures etc. – to ensure these comprehensively cover all the Organisation's data processing activities.
4. Review the Organisation's ICO notification to ensure it is accurate and up to date. Many people rely on ICO templates and renew their annual notification yearly without making changes. Failure to notify new data processing activities within 28 days is a criminal offence.
5. Have a robust subject access request procedure in place – failure to fully comply with requests for information from individuals is the top reason for complaints to the ICO.
6. Ensure marketing team practices are compliant with the Act and the Privacy Regulations (via appropriate use of customer databases, opt-ins, opt-outs, unsubscribe requests etc.)
7. Ensure all contracts with third parties who are processing data on the Organisation's behalf are in writing and contain the required data protection clauses. Pritchetts have free sample clauses (worth £500) available to readers, please contact Pritchetts at http://www.pritchettslaw.com/contact for more details.
8. Have a data security and security breach policy in place.
9. Ensure CCTV policies and signages are compliant.
10. Carry out staff data protection awareness training (see http://www.pritchettslaw.com/training) and stay abreast of legal developments in this area by signing up for free newsletters and reports from data protection experts at http://www.pritchettslaw.com/newsletter.