Data Protection Act: UK information to avoid DPA fines

Data Protection Act information that explains exactly what you need to do in order to be compliant can be hard to come by. This mini learning guide offers tips and expert advice on how to avoid Data Protection Act fines.

By Ron Condon, U.K. Bureau Chief and Nicole D'Amour, Site Editor

Starting April 6, 2010, the Information Commissioner's Office (ICO) will acquire new powers to impose fines of up to £500,000 on organisations that fail to comply with the Data Protection Act of 1998. Up to now, the ICO has only been able to issue enforcement notices on companies that breach the terms of the Data Protection Act UK. This mini guide offers the Data Protection Act information you need to avoid Data Protection Act (DPA) fines and improve overall security posture.

Table of contents:
Have a DPA compliance plan
Data Protection Act news and analysis
Data Protection Act compliance advice

Have a  Data Protection Act compliance plan

Stewart Room, a partner at law firm Field Fisher Waterhouse LLP, warns that companies should have detailed plans in place so that if a breach does occur, they can react fast and keep any damage to a minimum.

Room argues that if a data breach occurs, companies that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment.

"Most organisations unfortunately don't have good systems for actually managing the problem," Room said. "If a breach occurs, the law is really concerned with your behaviour at that point in time. You can't unravel the past and pretend the breach didn't occur, it's what you do from that point on that will determine your culpability."

An online poll ahead of the Infosecurity Europe conference which takes place in April showed that out of 148 organisations polled, 34% admitted they had no action plan for dealing with a security breach.

Room said that on top of having well documented systems and procedures to guard information, organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected. This is likely to involve multiple disciplines that could include information security specialists, IT resources, a PR agency, legal advice and credit reporting services.

"If you adopt an honourable stance from the outset," he said, "doing the right thing at the right time, then your legal team is in a very strong position to defend you to the regulator arguing that you're not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment."

Following Room's advice could mean avoiding some major penalties laid out by the ICO. For more Data Protection Act UK information, including more advice on how to meet compliance requirements and avoid fines, read on. We've compiled our best Data Protection Act information to ensure you are well prepared if the information commissioner comes calling.

Data Protection Act news and analysis

There have been a number of recent newsworthy announcements regarding both the Data Protection Act UK and the Information Commissioner's Office. Bureau Chief Ron Condon has provided detailed coverage of new Data Protection Act information as it was announced.

A Data Protection Act breach could cost companies 500,000 pounds
Ron Condon breaks down the potential Data Protection Act fines for a data breach. Find out what qualifies as a "serious" breach, as well as how Information commissioner Christopher Graham plans to approach breach situations.

Data Protection Act fines likely limited, audit powers may expand
As more details emerged from the ICO, it's becoming clear that the possible penalties may not be as harsh as once thought. In this article, Ron Condon reports on the scope of Data Protection Act fines, and explains how audit powers may change with this new aspect of the law.

Data Protection Act compliance advice

Once you've caught up with the news, check out our collection of technical tips, which serve as a resource to help you achieve Data Protection Act compliance.

The Data Protection Act is not something to be taken lightly, especially with the threat of fines looming. While the inclination may be to rest on your laurels once compliance has been achieved, it's vital to remain diligent and maintain that compliance going forward. In his comprehensive tip on the Data Protection Act, Michael Cobb covers everything from using encryption to comply with the law to performing a privacy impact assessment to help identify aspects of data handling that need improvement. Find all the general Data Protection Act information you need in this tip.

After mastering the Data Protection Act basics, take your knowledge a step further by reading Michael Cobb's tip on the BSI data protection standard, which provides a framework for establishing best practices and improving compliance with the Data Protection Act. Find out what the main objective of the standard is, as well as how it can help your organisation demonstrate Data Protection Act UK compliance.

Stuart Room has offered some interesting advice on how to combine the Data Protection Act principles with ISO 27001/2 compliance efforts. In 2007, the ICO identified the ISO 27001/2, an international code of practices for information security management, as a good way to get started with Data Protection Act compliance. Find out exactly how the two standards intersect, and how you can use ISO 27001/2 to aid in Data Protection Act compliance.

Having trouble trying to interpret what the ICO means by "appropriate" security measures? You're not alone. In this tip by Michael Cobb, find out exactly what the "appropriate" security measures sanctioned in the Data Protection Act are.

For more Data Protection Act information be sure to check out our panel of experts, all willing and able to answer your every Data Protection Act query.

Read more on Privacy and data protection