Out-Law / Your Daily Need-To-Know

Data protection fines drive up compliance elsewhere across industry, research finds

28 Jul 2014, 12:57 pm

Fines issued by the Information Commissioner's Office (ICO) against organisations for data protection law compliance failings influenced others' attitudes towards data protection elsewhere within the industries in which those penalties were served, new research has found.

News of a data protection fine being served prompts nearly half of organisations operating in that sector to review their own data protection policies and practices (19-page / 104KB PDF), according to a survey commissioned by the ICO.

Civil monetary penalties (CMPs) have a "clear impact" on how organisations served with the fines manage their own data protection responsibilities, but they also act as a "useful deterrent" to others, the ICO's report said.

Senior managers at approximately 60% of other organisations become more interested in data protection as a result of hearing about fines issued to other organisations, whilst 47% of respondents said that news of a data protection fine prompted them to introduce new data protection training for staff, it said. More than a quarter of organisations also conduct internal audits after hearing about others' data protection fines, according to the ICO's report.

"The findings indicate that the positive impact on data protection compliance [achieved by issuing organisations with CMPs for data protection compliance failings] was extended to peer organisations, where CMPs were viewed as an incentive for them to get it right first time," the ICO's report said. "The majority reported that there was greater senior management buy-in; just under half said they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs, and some increased training and initiated internal audits."

The ICO has the power to issue organisations with fines of up to £500,000 for serious breaches of the Data Protection Act. The test for determining if a fine is justified is if the breach is serious and "of a kind likely to cause substantial damage or substantial distress".

The ICO's report revealed that some organisations that have been issued with fines are unclear about how the watchdog determined that the test for serving a fine in its case had been reached. Concern was also expressed by some research respondents over a lack of clarity about how the ICO determined the level of fine in their case.

The ICO said that, to address those concerns, it would consider "whether we can explain how the conditions apply in individual circumstances in more detail" in the notices of intent it issues to organisations ahead of serving formal CMP notices. In addition, it said it would explore how it can be more transparent about the way in which the level of data protection fines is calculated.

The ICO also said that it will review the guidance it has issued previously on issuing CMPs in light of the concerns raised during the research exercise about how the 'substantial damage and distress' test is interpreted.