Concerned about your QSA's experience?
Inside the mind of a black hat
Are these the ICO's new teeth?
There’s been a deal of FUD (fear, uncertainty and doubt) about the Information Commissioner’s new powers to fine companies, and it’s something that we’ve been asked about a few times. The ICO now has the power to levy a monetary penalty notice (a fine) on an organisation that:
“has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.”
additionally …
“the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.”
Last year Christopher Graham, the Information Commissioner, described the types of organisation that would fall foul of his fining powers as the “serially incompetent and wicked” and estimated that there would be around twenty fines issues in the first year of operation. The power to fine has been in force for nearly nine months and the Commissioner’s is yet to use his powers although it is widely known that there are two fines “on the way”.
Our key message is that you won’t get fined for accidentally contravening the Data Protection Act, but you will be at risk of you do it knowingly or you are careless with lots of people’s personal data.
The Commissioner’s guidance notes makes it clear the circumstances in which you could get a fine, and it is required reading. Our advice is that the best protection is to undertake a risk assessment that looks at how you acquire, process, store and share personal data.
Call us: