The former head of enforcement at the Information Commissioner's Office (ICO) has said that businesses should appoint dedicated staff to keep up to date with data security issues and guidance to avoid investigation by the watchdog.
Mick Gorrill, now a consultant in the security and information law group at Field Fisher Waterhouse, said that this would provide the best chance of avoiding data losses and monetary penalties.
"Organisations should have someone nominated for data security. It's a big help as once you have that accountability and that reasonability they start listening to what the ICO is saying and put policies and procedures in place and staff training," he said at a press event today.
"If businesses show they have done everything they could reasonably be expected to do - had a privacy impact assessment, put processes in place to prevent breaches and so forth - they would be looked at favourably."
Gorrill, who left the ICO at the end of March, said that the ICO had increased in stature since being given the ability to levy fines, and that the fine limit could be increased in the future.
"To some organisations £500,000 is nothing, but the reputation damage is more important, and if you get a civil penalty it leads to a lot of publicity," he said.
"There was talk of 10 per cent of turnover which seemed to me a good idea, but if there is a view in the future that £500,000 is not enough that could be pretty easily changed."
Giving more insight into the workings of the ICO, Gorrill explained that fines are issued or considered, or enforcement action taken, when there is a clear lack of responsibility by data controllers.
"Where they go spectacularly wrong is when they are cavalier with data security, and [data breaches] could have been avoided with a little thought. That's where we got tough," he said.
Gorrill added that the public sector has a poor record on data breaches, but that local authorities, rather than the NHS, are a greater cause for concern.
"Local authorities are very disappointing. They will tell you it's because money is being taken from them and they need to keep frontline services going and the Data Protection Act does not fall into this, but we would argue it does," he said.
"The NHS has improved pretty dramatically. Before the monetary penalty became law I would have put money that the first fine would be the NHS, but it wasn't and within the NHS it's a lot better understood now. It's definitely got better."
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago