Will the threat of jail improve data protection?
In his latest Inside the Enterprise column, Stephen Pritchard talks about the Data Protection Act and how not knowing the ins and outs of it could cost your business dearly.

Next month, UK data protection laws will be strengthened again.
From 6 April, fail to observe the Data Protection Act, and your company faces a 500,000 fine. Until now, the maximum fine the Information Commissioner's Office (ICO) could issue was 5,000; arguably not even a slap on the wrist for those who fail to protect data.
In many ways, the move should be welcomed. The ICO had only limited powers to go after organisations that put personal data at risk.
In practice, the Information Commissioner has had to rely on naming and shaming those behind data breaches, or leave it to other agencies, such as the Financial Services Authority, to wield a bigger stick.
The FSA has handed out some pretty hefty fines already, most notably to HSBC, which was forced to pay more than 3m for multiple data breaches.
The ICO will not be able to go that far next month, although the organisation is pressing for still tougher penalties, including possible jail terms.
In October, the Ministry of Justice issued a consultation, which proposed a custodial sentence of up to two years, for those who knowingly or recklessly breach Section 55 of the Data Protection Act.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Whilst the Government considers the results of the consultation, the ICO will have to rely on financial penalties alone. And the effectiveness of the ICO's sanctions will depend largely on how it chooses to use its new powers.
As Richard Turner, chief executive of data security company Clearswift, points out, most data breaches that are not deliberate are preventable. Better user education about the Act, as well as better data loss prevention technology, will help companies comply.
Businesses, though, might not invest in those measures if the threat of heavy fines, or even jail time for their executives, hangs over them. So for the Act to be enforced effectively, the ICO will need to distinguish between genuinely accidental data losses, those that are caused or aided by negligence, and those that are deliberate.
The largest fines will need to be reserved for those data losses where someone acted with intent.
But if the goal is to improve data security overall rather than simply punish offenders then the ICO could do worse than to follow the FSA's model and reduce its penalties for organisations that co-operate with its investigations. That way, companies have an incentive to fix the problem once and for all.
The ICO has issued guidance on how it will use the new penalties here.
Stephen Pritchard is a contributing editor at IT PRO.
Comments? Questions? You can email him here.
-
The IT industry’s shift to circular, low-carbon solutions
Maximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition review
Reviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuse
News The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victims
News Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlash
News UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime Agency
News The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failures
News The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firms
News Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failures
News The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaign
News HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled