Heavy fines for data losses from today
Information Commissioner gets tough on damaging data breaches
Ellis: The channel can garner opportunities through educating businesses on what they need to do
Businesses can now be fined up to £500,000 for breaches of the Data Protection Act 1998 as an amendment to the law came into force today.
The Information Commissioner’s Office (ICO), which will hand out the penalties, says in its online guide that there are eight basic principles which anyone processing personal data can follow to stay on the right side of the law.
“The scope of the Data Protection Act is very wide, as it applies to just about everything you might do with individuals’ personal details,” the ICO said. “It does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction.”
This may include IT-based defences such as encryption or special arrangements around data storage, but those are likely not to be sufficient alone, according to the ICO, with processes and practices taking centre stage.
Nothing in particular relating to the use of specific types of IT has been mandated.
Nevertheless, security technology vendors such as Symantechope the bolstered law will kickstart additional sales.
Jason Ellis, EMEA channel vice president at Symantec, said it believed businesses need to develop and enforce a robust security policy that includes tight control over customer data. Such data should not physically leave the premises unless absolutely necessary, he claimed.
“By educating businesses about IT security best practice, the channel can ensure businesses avoid the burden of some potentially devastating fines,” Ellis said.
“The ICO is getting tough on data loss following some high-profile cases where sensitive information has been stolen or lost,” he added.
Fines will only be handed out where the ICO considers that a serious breach is likely to cause damage or distress and was either deliberate or negligent, with the organisation involved failing to take reasonable steps to prevent such a breach.