Information Commissioner has now joined the ranks of modern super-regulators who have teeth. Power to impose penalties of up to £0.5m are expected to come in this Spring. Read more about the implications for SMEs.

On 12 January 2010 the data protection regulator, the Information Commissioner, issued a press release confirming the timescales and maximum monetary amount that the Commissioner will be able to impose as a penalty for serious breaches of the Data Protection Act 1998.

The Data Protection Act 1998 itself was amended back on 1 October 2009 to provide the framework for the new powers. Since then, the Information Commissioner has made no secret in press releases and statements published on its website of the fact that it proposed a maximum penalty of £500,000. As part of the process of establishing the penalty regime the Information Commissioner had to prepare written guidance on how the power will be exercised, then obtain the approval of the Secretary of State, and lay the guidance before each House of Parliament. The press release confirms that the guidance was laid before Parliament on 12 January, so it appears that the £500,000 limit and the published guidance has been approved by the Secretary of State. Timescales are still to be confirmed but the Information Commissioner's press release states that the power is intended to become effective on 6 April 2010.

This is important information for businesses to feed into their compliance and risk management agendas.

In a survey of SMEs carried out by the British Standards Institution in 2009, 20% of responded businesses admitted breaching the Data Protection Act 1998, 50% admitted that there was no individual in their business with specific responsibility for data protection compliance, and 65% said they do not provide data protection training for their staff. It does appear that data protection compliance amongst more than half of UK SMEs is not a priority and places them at risk of breaches occurring, and the survey no doubt gives a rosier picture than the reality on the ground.

The regulator's new powers undoubtedly increase the heat for these SMEs because penalties will be rated based on the outcome for the person who is affected by a data protection breach, not just on the basis of whether or not the breach was deliberate or the resources of the data controller. You can see the regulator's final guidelines at www.ico.gov.uk. (http://www.ico.gov.uk/)

For us in the UK it is ironic that, only the day before the Information Commissioner's announcement, the founder and CEO of Facebook, Mark Zuckerberg, commented that privacy is no longer a social norm. UK law and a bevy of increasingly vocal consumer groups would beg to differ.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.