UK: Data Protection - More Guidance And New Penalties

The UK data protection regulator, the Information Commissioner's Office (the ICO), has recently published a 'plain English' guide to the Data Protection Act. The ICO's website states that 'the Information Commissioner's Office Demystifies Data Protection' and seeks in this guidance to address some of the common 'myths' of data protection. The guidance refers, for example, to a commonly-held misconception that individuals are not allowed to take photos of children in schools. This is an issue which the ICO has highlighted in the past, although it is not a significant concern for most businesses.

Meanwhile, new higher £500 rates for data protection registration have been imposed for large companies which are required to register their data processing with the ICO. This additional revenue will help fund the ICO's enforcement of the law.

The powers of the ICO are also being increased with new draconian penalties for serious breaches of the law likely to be implemented in the early part of 2010. The proposed penalties include the right to fine companies up to £500,000 for serious data protection breaches and the right to imprison individuals for data theft and unauthorised reckless disclosures. The ICO has (in voluminous draft guidance) stressed that fines will be proportionate and only imposed for serious and reckless breaches.

In practice, however, what constitutes a serious or reckless breach is far from clear-cut. For example, many multinationals currently routinely breach data privacy rules restricting international data transfers. If they continue to make such transfers without regulatory approval in future (as in reality many will have to do) that will arguably constitute a serious ongoing breach.

It is unsurprising that despite the Information Commissioner's claim to be demystifying data protection law, this remains one of the most problematic areas of legal compliance. The British Chambers of Commerce Burden's Barometer for 2009 has once again highlighted data protection compliance as one of the most burdensome issues for British businesses, with annual compliance costs to UK businesses estimated to reach an astonishing £667 million.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.