The Data Protection Act (‘DPA’) in the UK is a cornerstone of IT and information-related legislation. It applies to all organisations that collect or hold information about living individuals. Most organisations would claim that they comply with the DPA. The reality is that many don’t – over 800 organisations have reported data breaches in just the last two years – and as, reporting data breaches is not a legal requirement, it is likely that there have been many more breaches similar to those described here, but which have been ‘swept under the carpet.’
The Information Commissioner (ICO) will, from 6 April 2010, have the power to levy fines of up to £500k for serious breaches of the DPA. Which organisations will suffer the first fines?
For all organisations, the choice is clear and straightforward: continue with shoddy data protection practices and face potentially significant financial penalties, plus the wide spread press coverage that will attend such a fine, or take steps to improve those practices. There is, in fact, a good business case to make for doing exactly that. The ICO has just published The Privacy Dividend, which describes how to make the business case for the necessary investment and even includes – for free – all the documentation that an organisation might use as part of that business case.
Penalty or dividend?
It shouldn’t be a hard choice, should it?