Since the Information Commissioner's Office (ICO) was given greater powers last April, it has only punished 1% of all data breaches.
Of the 2,565 data breaches recorded since April 2010, only 36 have resulted in a punishment, with just four resulting in a fine, according to figures released under the Freedom of information Act (FOI).
About 80% of punishments have gone to public sector bodies, although the majority of actual breaches (59%) were from the private sector, according to the findings of an FOI application submitted by data encryption company ViaSat.
Chris McIntosh, the chief executive of ViaSat UK, said: "The ICO has stated that the private sector has a worse grasp of the Data Protection Act than the public. However, the ICO's actions so far do not seem to encourage any improvement.
"For example, other organisations can easily look at the £60,000 penalty meted out to A4e, its size compared to the company's £145m turnover, its rarity and the fact that A4e is still receiving plenty of business, from the government no less, and feel that the risk of ICO action is one they are prepared to take."
The ICO was given the power to fine companies in breach of the Data Protection Act up to £500,000 in January 2010.
But the first fines were not handed down until November, when Hertfordshire Country Council and employment services firm A4e fell failed to meet their responsibilities under the Act and were ordered to pay £100,000 and £60,000 respectively.
In February, Ealing Council and Hounslow Council were also fined £80,000 and £70,000 respectively.