Companies face £500k fines for data breaches

The maximum fine for serious losses of customer data increases a hundredfold as new powers at the Information Commissioner's Office come into effect
Written by Tom Espiner, Contributor

Businesses now face fines of up to half-a-million pounds if they breach data protection laws, after new powers for the Information Commissioner's Office came into effect on Tuesday.

The Ministry of Justice, which provides the budget for the Information Commissioner's Office (ICO), gave a green light for the maximum £500,000 fine at the beginning of the year. Justice minister Michael Wills laid a statutory instrument before parliament in January, setting the level of the fine. It became law on 6 April by default and replaces the previous maximum fine of £5,000.

The data watchdog will now be able to issue heftier fines against businesses and other organisations that suffer serious breaches exposing their clients' personal information.

"When things go wrong, a security breach can cause real harm and great distress to thousands of people," said information commissioner Christopher Graham when the new powers were introduced in January. "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act."

The tougher sanctions follow a number of serious breaches. In a recent example, Lancashire County Council was criticised by the ICO in January after leaving a number of social work case files in a filing cabinet that was sold secondhand to a member of the public. In addition, the watchdog said in November it was considering prosecuting several T-Mobile employees accused of selling millions of customer records to rival mobile service providers.

The new powers for the ICO are "a move in the right direction", according to Andy Buss, a service director for analyst firm Freeform Dynamics.

"The powers are needed to help cut out the culture of sloppiness and boost data protection," said Buss.

However, Buss said that to be truly effective, data loss fines needed to work in tandem with data breach notification laws. There is no compulsion under UK law to disclose data breaches.

Editorial standards