Are UK data protection laws lacking?


Data protection laws in the UK are inadequate and need reworking, according to half of respondents to a Sophos survey.

Of the 1,200 organisations that were polled, half claimed the current legislation is too lax while 87 per cent agreed companies should be forced to report on sensitive data breaches.

Far fewer, 16 per cent, showed concern about the costs of complying with current laws.

The results come not long after the UK was asked by the European Commission to show what measures it will be taking to ensure the country's laws comply with the EU's Data Protection Directive.

Furthermore, the Ministry of Justice initiated a Call for Evidence earlier this month which will ask for views on how the European Data Protection Directive and the Data Protection Act are working.

Anxieties about the state of data protection law in the UK were voiced at a roundtable event this morning hosted by Sophos and law firm Field Fisher and Waterhouse (FFW), who teamed up earlier this year to help companies with information breach and loss concerns.

Stewart Room, partner for the privacy and information law group at FFW, advocated the introduction of mandatory reporting into UK law as well as an uncapped financial penalty, rather than the 500,000 limit on the Information Commissioner's Office's (ICO) punitive powers.

"The moment you have a cap, it is the moment you lose the power of your arsenal," he suggested.

Room said if the ICO began fining companies at the top end of the cap, harsher penalties would not be available when more significant data breaches occur.

James Ford, head of the ICO's press office, explained that the body will be using its powers in a proportionate way and pointed out that the new 500,000 fining power was only initiated in April. It is yet to be seen what the body will do with its new punitive capabilities.

"In terms of self-reporting breaches, obviously the ICO and the commissioner encourage organisations that experience a security breach to come to the ICO to talk to us about that so we can help their organisation get things in order for the future," Ford said.

"The commissioner has the power to take a range of actions against organisations that experience security breaches and the reasons why he has those powers comes back to deterrent. The commissioner is not in the business of waving his big stick for the sake of it, he is in the business of making sure board rooms understand the importance of the issues we are talking about today," Ford commented.

"It is vital that all organisations, be they large or small, take data protection more seriously and we are seeing that," he added.

But Room claimed the majority of companies in the private sector do not report breaches as they are unwilling to risk being fined or have their reputation tarnished. He also pointed out that a breach of security does not always mean a law has been broken.

"Burying the bad news is the bit that we have got to tackle," the lawyer said, after calling for greater clarity in UK data protection legislation so companies understand their position better.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.