Firms unprepared for new ICO powers

Christopher Graham will have new powers to fine organisations from 6 April

Experts are warning that many firms may still not be aware of new powers granted to data protection watchdog the Information Commissioner’s Office (ICO) which will enable it to fine businesses up to £500,000 for serious breaches of the Data Protection Act (DPA).

The new powers, which it is hoped will act as a deterrent and promote compliance with the DPA, were initially approved by the justice secretary in January after years of lobbying by the ICO, and come into force on Tuesday.

"As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people," said Information Commissioner Christopher Graham at the time.

"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."

The new powers have been welcomed by many in the industry, who have hitherto seen the ICO as a largely toothless watchdog.

Jonathan Nugent, a solicitor with PricewaterhouseCoopers Legal, argued that they should help to tackle the threat of continued data breaches.

"UK businesses should take note of the new rules and ensure they have effective data protection compliance measures in place to meet the ICO's standards," he added.

"This is part of a wider move to strengthen the enforcement of data protection laws in response to a number of high-profile data breaches."

Nugent suggested that the new powers may also pave the way for other measures under consideration, including potential prison sentences for criminal offences involving the misuse of personal data.

However, William Malcolm, an information law expert at international lawfirm Pinsent Masons, warned that the new powers represent a "step change" for the ICO that many firms may not be aware of.

"Many businesses are not aware of the new power of the ICO to impose penalties. While this is a significant deterrent now, they need to make sure they carry out reviews of how personal data is handled, and implement sensible controls to ensure that data is protected," he said.

"I do not think it will be long before the ICO exercises the powers, and an early fine of £500,000 is likely in my view. The ICO has stepped up enforcement in recent years, and would undoubtedly have used the powers to deal with some of the cases it has dealt with over the past six months had they been available."