The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.
But not enough – the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.
After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?