“has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress.”

additionally …

“the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.”

Last year Christopher Graham, the Information Commissioner, described the types of organisation that would fall foul of his fining powers as the “serially incompetent and wicked” and estimated that there would be around twenty fines issues in the first year of operation. The power to fine has been in force for nearly nine months and the Commissioner’s is yet to use his powers although it is widely known that there are two fines “on the way”.

Our key message is that you won’t get fined for accidentally contravening the Data Protection Act, but you will be at risk of you do it knowingly or you are careless with lots of people’s personal data.

The Commissioner’s guidance notes makes it clear the circumstances in which you could get a fine, and it is required reading. Our advice is that the best protection is to undertake a risk assessment that looks at how you acquire, process, store and share personal data.

Our QSAs have at least five year’s experience in general information security consulting as well as experience in PCI. Blackfoot is a business enabler, not a compliance auditor and our approach is usually to determine how to minimise the amount of cardholder data our client’s retain.