Data Protection Act Enforcers
Principles, Protections and Penalties
Who Enforces the Data Protection Act? If you are operating a business within the UK, chances are the Data Protection Act directly affects many of your responsibilities and practices regarding the personal data you process. After several years in development the General Data Protection Regulation (GDPR) was introduced across Europe in 2016 and became enforceable in May of 2018.
Incorporated into UK law in the form of the Data Protection Act (DPA) 2018, the regulation not only placed new responsibilities upon organisations that handle personal data, but also sought to strengthen the rights of citizens in relations to their data and address several decades of technological advancement.
Data Protect Act 2018
Replacing the Data Protection Act of 1998, the DPA 2018 built upon and forwarded many of the existing principles. Governing how organisations work with personal data, both the GDPR and the DPA centre around seven key principles.
The Seven Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Who Enforces the Data Protection Act?
Though the GDPR is a European-wide piece of regulation, the application of the law is at the national level with each country establishing their own enforcement authority. In the UK the authority responsible for enforcement is the long-standing Information Commissioner, of the Information Commissioner’s Office (ICO).
As the independent official, the ICO’s mission includes upholding information rights, promoting openness by public bodies, as well as forwarding the data privacy of individuals. In this capacity, the Information Commissioner also has the power to levy large fines upon offending and non-compliant organisations.
Under the DPA, the ICO has the power to hand out fines equal to 20 million Euros, or 4% of global annual turnover from the previous year, whichever is greater. This comes as a sharp departure from the previous maximum (under the DPA 1998) of the relatively meagre £500,000.
History of the ICO
The Information Commissioner’s Office was originally founded in 1984 and since then, its role has grown considerably. With the introduction of the GDPR and the surrounding ‘excitement’, the independent authority has also expanded in prominence.
“ has seen the biggest upgrade in UK data protection laws for a generation”
Information Commissioner’s Office
Having developed from a relatively small organisation, headed by a Data Protection Registrar, the organisation now handles tens of thousands of data protection complaints, thousands of freedom of information complaints and hundreds of thousands of calls to their helplines every year.
Since the mid-eighties, a great deal has changed in terms of the way organisations collect, handling and utilise personal data. The introduction of now ubiquitous personal electronics, not to mention a few high-profile cases of data mishandling, has seen the public’s expectations regarding data rights very much enter the zeitgeist.
Since 2016 the ICO has been led by Elizabeth Denham CBE who has overseen a plethora of important cases and investigations into the mishandling of personal data.
Enforcing with Fines
Including within the new seven principles of data protection is the ‘accountability’ principle. This guiding element of modern data protection law places the responsibility to protect personal data squarely upon organisations.
Not only do organisations have a responsibility and obligation to take the necessary precautions to protect data, they are also required to document and make their compliance demonstrable to authorities.
As well as this, organisations are also required to report any data breach to the ICO within 72 hours of becoming aware of the incident. Should any breached data likely result in a ‘high risk of adversely affecting individuals’ rights and freedoms’ then these parties must also be informed of the breach without ‘undue delay’.
In terms of who enforces the Data Protection Act, it may be the responsibility of the ICO to help, advise and potentially punish, it is also the responsibility of organisations to make sure they are informed, secure and compliant.
Failure to comply with any element of the DPA, including individual rights or data protection principles, can now result in hefty fines, far outweighing those previously possible.
Designed as a two tier system, the ‘higher maximum’ being 4% of annual turnover or 20 million Euros, reserved for the most serious of violations, and then the ‘standard maximum’, for lesser violations which amounts to only 2% of AT or 10 million Euros.
Data Protection Fee
Under the UK’s Data Protection Act, organisations which are responsible for the processing of personal data are in most cases required to pay the data protection fee to the Information Commissioner’s Office.
Covering all forms of processing, from medical data to crime prevention CCTV, the data protection fee accounts for between 85% to 90% of the ICO’s annual budget with the authority collecting around £40 million between 2018 and 2019 from the fee.
There are approximately 600,000 organisations already registered, each of which are publicly named by the ICO. Acting as an indication of adherence and compliance to data protection responsibilities, the fee ranges in cost from around £40 all the way up to £2,900, though is typically on the lower end of that spectrum.
This fee is based on a self-assessment which can be completed here and any organisation which has not already registered, should do so immediately to avoid any monetary penalties.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Tax Refund Scams, Zoom Encryption and Fake Ransomware Decryptor – Infosec Round-Up, June 12th, 2020
How Secure is your Password Process? Password security blog from Information Security Awareness Training provider Hut Six Security.
Who Does the Data Protection Act Apply to? Blog by Information Security Awareness Training and phishing simulator provider Hut Six Security
REvil Ransomware, Apple Bug Bounty & UK Gov Contact Tracing – Infosec Round-Up, June 5th 2020
What Social Engineering Methods do attackers use to get your personal information? Blog by Information Security Awareness Training provider Hut Six Security
What Year Was the Data Protection Act Introduced? Blog by Information Security Awareness Training provider Hut Six Security.
GitLab Phishing, Red Cross Cybersecurity, and easyJet Lawsuit - Infosec Round Up, May 29th 2020
How Does the Data Protection Act Protect your Rights? Blog by information security awareness training provider Hut Six Security.
Knowing how a ransomware attack works is the key to avoiding them and the damage they can pose to your organisation. Blog by Hut Six Security.
Luke talks about his favourite Information Security tutorial, Handling Sensitive Information. Information Security video by Hut Six Security.