From today, the Information Commissioner's Office (ICO) can serve a Monetary Penalty Notice with fines up to £500,000 for a serious data breach.
Under Section 55a of the Data Protection Act 1998, the ICO can impose a fine if there has been a serious contravention of data protection principles by a data controller and the contravention could cause substantial damage or distress.
Fines will be determined by:
- Seriousness of contravention.
- Nature of personal data involved.
- Duration and extent of contravention.
- Number of individuals actually or potentially affected by the contravention.
- Matter of public importance.
According to the ICO, fines are more likely to be imposed if an organisation has failed to take reasonable steps to prevent the data loss. For instance, if it has not established adequate procedures, processes and practices to reduce data loss and there are no clear lines of accountability.