Overview

From April, a business that breaches the Data Protection Act 1998 (DPA) may be fined up to £500,000. Now is the time for businesses to review the adequacy of their data management procedures.

THE CURRENT POSITION – A TOOTHLESS TIGER?

The role of the Information Commissioner (IC) has to date been criticised for its weak enforcement powers. Except in limited circumstances (for example, failing to notify processing), the IC currently has no power to fine data controllers for breaches – even flagrant breaches - of DPA principles. The only sanction which has been available to him is to issue an ‘enforcement notice’ which requires a business not complying with the DPA to take steps to remedy the position.

There has been sustained criticism at EU level about wide variations in the enforcement powers of data protection authorities in different Member States. At the end of last year, the Article 29 Working Party (Europe’s advisory body on data protection and privacy) called on the European Commission to change the EU data protection framework to require each Member State to enhance the enforcement powers of their data protection authority. It said that these authorities should be “strong and bold, strategic on intervention and enforcement”. It asked particularly that Member States be required to empower their data protection authorities to impose financial sanctions for data breaches.

WHAT IS CHANGING?

To read more, click ‘View Briefing’