The statement issued by the Information Commissioner’s Office (“ICO”) yesterday confirming its intention to fine eleven charities for breaches of the Data Protection Act 1998 (“DPA”) serves as a timely reminder of the ICO’s enforcement powers under the DPA.
Currently, the ICO is able to fine data controllers who breach their statutory obligations under the DPA a maximum of £500,000. In determining the level of fine, the ICO takes into account not just what will be an appropriate level to act both as a sanction and also as a deterrent, but also the sector, size, and financial and other resources of a data controller.
The procedure for the ICO issuing such a “Monetary Penalty Notice” (“MPN”) involves the contravening party being issued by the ICO with a “Notice of Intent” confirming the proposed penalty, followed by a pause to permit the recipient an opportunity to make representations before the ICO finalises its conclusion and the MPN. If the recipient is dissatisfied with the outcome, they are entitled to appeal the MPN to the First-tier Tribunal (Information Rights).
The maximum fine for breach of data protection laws will increase significantly on the coming into effect of the General Data Protection Regulation (“GDPR”); from 25 May 2018, the ICO will be able to levy a fine of up to EUR 20 million or 4% of worldwide turnover. Reviewing your data operations and considering what data you are processing for what lawful purpose(s) is a critical aspect of preparing for the changes to the law the GDPR will bring.