Data Protection: Can Your Business Afford £500,000 Penalty Fees?

Only a few months ago, Wembley-based money-lending company Jala Transport Ltd was fined by the Information Commissioner’s Office (ICO) after the theft of a portable hard drive containing its customer database, including ID documents and bank statements. Despite being password protected, the hard drive wasn’t encrypted, meaning that the information was easily accessible.

Compromising Personal Data is a Costly Affair

Luckily for them, Jala Transport Ltd was only fined £5,000; this sum is in proportion to the means of the small business and on the basis that the data loss had been willingly and immediately reported. But this is a drop in the ocean compared to the previous penalties imposed by the ICO. Just a few weeks ago, the Ministry of Justice itself received a penalty notice of £140,000 for accidentally releasing the details of over 1,000 inmates serving at HMP Cardiff prison. But penalty fees can go up to £500,000 for even more serious breaches of the Data Protection Act.

Aside from financial penalties, the damage done to your business in the event of a data breach is equally serious. Not only will further costs likely to be incurred – such as compensations to customers or IT fees to ramp up security and try to recover the lost data – but the reputation and credibility of your business are in line too, and the potential to lose customers not negligible. In light of this, protecting your customer data isn’t as costly and daunting as it might sound.

Register with the ICO

If you hold and process information about your clients, employees or suppliers, you are legally obliged to protect that information under the 1998 Data Protection Act. Unless you’re exempt, you must register with the ICO. For most businesses, it only costs £35 per year. Registration fees can go up to £500, but only for businesses employing over 249 staff and with a turnover of £25.9M.

Secure Your Data

A few simple steps will ensure your data remains protected:

  • Ensure your premises and equipment are safe – alarms and up-to-date security software are equally important, within your four walls but also for third-party organisations used.
  • Have a strong password policy in place on all devices AND sensitive files.
  • If data needs to leave the office, encrypt the devices it’s stored on.
  • Encrypt the critical data itself – if it falls in the wrong hands, it will remain extremely difficult to access.
  • Educate your staff on data protection legal requirements as well as best practices – secure use of email, personal devices and Cloud services should be particularly stressed.

Be prepared

But in the unfortunate event of a breach, it’s vital to know how to respond to it. So, ensure your business has a strategy in place. It should address the following points:

  • What is the extent of the breach?
    Assess the data that has been compromised and the wider risks it poses for the business and the individuals concerned.
  • How can you limit the damage?
    There might be ways to recover the data or remotely delete it so it no longer can be accesses.
  • Who needs to know about the breach?
    Ensure all individuals concerned are notified about the breach so they can take measures at their end. Don’t forget relevant organisations too.
  • What do I do next?
    Evaluate how the breach was made possible and ramp up your security in response.

As laws and regulations evolve quickly, it might be a good idea to consult a specialist law firm to ensure that your business is top of the game. If you handle a lot of sensitive data or are in a sector particularly at risk, such as healthcare or financial services, taking out cyber security or liability insurance is also essential.

Is YOUR business ready?

These resources will help you assess the risks you might be undertaking:

Leave a Reply