The speed with which the government proposed and then ratified new legislation, which has given the Information Commissioner’s Office (ICO) significant punitive powers in the event of data security failures, has become a talking point amongst industry experts.
The ICO’s new ability to impose fines of up to half a million pounds has been well publicised, with data expert and lawyer Stewart Room commenting during a speech at a data protection conference as to the likely impact of the changes and the most appropriate way in which businesses should respond.
Mr Room said that the significant speed at which new data protection legislation was being forced through showed that it was being formed and finalised within multiple public organisations simultaneously in order to maximise the impact of the process.
Mr Room pointed out that although half a million pounds was a significant sum when taken out of context, it paled in comparison to the amounts that were changing hands during the recent bank bail-outs. He went on to explain that the fine would not merely be significant because of its financial impact, but because of what it would symbolise for any business upon which it was imposed.
According to Mr Room, any business which receives a fine after the ICO gets its new powers on April 6th will be subject to scrutiny from its potential clients, resulting in lost business and general mistrust as a result. It will no longer be seen as competent enough to safeguard the data with which it is charged and the ramifications of such a label could prove to be enduring and incalculably damaging.
Mr Room pointed out that following a fine, a business would potentially be faced with having to cut jobs and could see its share price slide unless it takes the necessary steps to bring data protection and backup security to acceptable industry standards.
The imposition of an ICO fine of this kind will require that the breach can be definitively shown to be deliberately instigated. Mr Room believes that businesses will have to respond more carefully to calls from within and from external parties regarding data handling in order to avoid what may now be a far greater negative impact in the event of a security breach.
