A new law introduced last week will see companies fined up to £500,000 if they fail to protect the information they hold about individuals including their customers and employees.
After a series of high profile incidents of personal information being lost or exploited, including a recent allegation that T Mobile sold its client database to a competitor, the body charged with protecting personal data – the Information Commission (ICO) – has taken steps to strengthen its powers to enforce the Data Protection Act with new sanctions that will allow fines, or even jail terms, to be imposed on those who knowingly break the rules.
Cameron Craig, partner at the Sheffield office of DLA Piper, who specialises in advising companies on data protection, explains: “Although the Data Protection Act has been cited in various arguments about lost laptops and missing CDs of data for many years, it has actually been very difficult to enforce penalties on those who knowingly flout the rules.
“These new sanctions are essentially about the Information Commission giving their rules some teeth and once they are in place, it’s likely the ICO will be much more stringent in applying them at all levels. Worryingly, however, a large number of companies still seem unaware of the regulations, and their responsibilities under them. Although it will only be the most serious and flagrant breaches of the Data Protection Act that will result in half million pound fines or jail terms, the new rules could show up major holes in companies strategies for protecting data and thus put them at risk.”
According to Cameron, the main areas Yorkshire companies should be considering is what data is collected, how and where the data is used and stored, and who has access to it. Inadequate policies, procedures and security systems and a failure to ensure staff are aware of their responsibilities if they have access to personal data could lead to action from the ICO.
He adds; “Information is key to companies, of all sizes, but many seem to be unaware of the requirements of the regulations”.
“I come across many companies that have unwittingly failed to comply with the Data Protection Act simply because they didn’t consider the basic protection and controls that need to be applied to records of personal information.
Companies are often unaware of the basic data security requirements such as the need to control access to the information, and to ensure that laptops containing sensitive personal information are properly encrypted if staff are allowed to take them out and about.
“Implementing proper policies and security systems may seem too costly to consider in the current market, but these new rules mean the cost of non-compliance could be much greater.”
For further information, contact DLA Piper on 08700 111111 or visit www.dlapiper.com