Privacy regulator the Information Commissioner's Office (ICO) will have the power to fine organisations for serious data protection breaches from Tuesday, 6th April. Organisations could receive fines of up to £500,000 under the new powers.
The ICO had long lobbied for increased powers over organisations when they make fail to protect people's information in a way that causes them harm or affects large numbers of people. The Government agreed to the new powers last year.
The ICO has published guidance on when it will impose penalties.
"The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress," the guidance said. "In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it."
"The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act," it said. "The possibility of a monetary penalty notice should act as an encouragement towards compliance, or at least as a deterrent against non-compliance, on the part of all data controllers."
Data protection law expert William Malcolm of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the powers were likely to be used, and were something that organisations should pay immediate attention to.
"I do not think it will be long before the ICO exercises the powers and an early fine of £500,000 is likely," he said. "The ICO has stepped up enforcement in recent years and would undoubtedly have used the powers to deal with some to the cases they have dealt with over the last six months had they been available."
Malcolm said that the introduction of direct penalties from the ICO was a major step forward for the regulator.
"The new powers of the ICO to impose financial penalties on businesses and public authorities mark a step change in the powers that the ICO has available to deal with serious breaches of the Data Protection Act," he said.
He said that companies which are worried about their own data protection systems and processes should make sure they are checked and re-evaluated to avoid the danger of being one of the early recipients of a penalty.
"For many organisations the new powers will require no change as compliance practices will be well settled," he said. "However for many others the new powers represent an opportunity to review compliance arrangements to ensure that they are taking a balanced approach to risk management in the light of the new powers."
When publishing its guidelines on the levying of fines, the ICO said that it would issue penalties that were proportionate to the size and wealth of the organisation involved.
"The Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty," an ICO statement said at the time. "Factors will be taken into account including an organisation’s financial resources, sector, size and the severity of the data breach, to ensure that undue financial hardship is not imposed on an organisation."