Breach of the data protection peace

Is this just the beginning of what will become a more rigid and strict approach to data protection act breaches? Industry chatter suggests we have seen this all before PCI started by not fining and allowing companies to miss their deadlines, but things are now much stricter and the fines are filtering through.

On the face of it, name and shame' legislation is still arguably very thin here in Europe, but the European Commission is currently weighing up whether it should enforce mandatory data breach notifications. With breaches increasing in regularity, most would argue the penalties are likely to become more severe.

"While it is true that between 6 April 2010 and 22 March 2011 the ICO concluded that in 2,565 cases compliance with the Data Protection Act was unlikely, over half of these complaints concerned subject access requests whereby an individual has either not been provided with all of the information an organisation holds about them or has not received this information within 40 days. The majority of these types of request will be resolved before there's a need for further enforcement action," said the ICO.

Most would argue the penalties are likely to become more severe.

The organisation added: "The figure for reported cases where information has been disclosed or lost and a monetary penalty is therefore more likely is only around a quarter of the total mentioned. These vary from minor administrative errors where enforcement action would not be appropriate to serious data losses which led to the ICO imposing a monetary penalty."

So, did the ICO make short shrift of its work practices when first questioned with a Freedom of information (FoI) request initially put forward by encryption firm ViaSat? For the most part, the answer is yes.

Has the industry attempted to fuel debate over data security and compliance issues to sell software licenses as a result? Generally speaking, the answer is yes.

Do we need to take an industry-wide more stringent approach to data security, compliance and regulation as a whole? Without question, it is a yes.