…that's the message I've been hearing from vendors whom are all leaping on the marketing bandwagon and trying to make a quick buck out of the Data Protection Act (DPA).
Whilst a spot of scare-mongering encourages some healthy debate, this is verging on the ridiculous. If I see another mailshot with the words “£500,000. Can you afford the fine?” I'll scream!
I'm really hoping that companies will take a balanced risk/cost approach and not go out and buy enterprise wide encryption or data loss prevention solutions “so they don't end up paying the fine”, but I know deep down that many will. They believe the hype.
So, to cut to the chase, how exactly do you get fined £500,000?
The answer is with great difficulty and through repeated offences that ignore the ICO's advice and enforcement orders. With an enforcement order sitting on a CEO's desk, chances are he or she will listen up and change business processes pretty darn quickly.
The ICO appreciates everyone makes mistakes. They're not in business to punish those who make mistakes, but to help educate businesses whom have intentionally or unintentionally violated the DPA to ensure those violations do not happen again.
Fines? Not seen any yet, but will be keeping an eye on the ICO's press release page for updates:
Having the power to issue fines and actually fining people are two different things.
The ‘threat' of a fine will encourage companies to comply and eek out the serious offenders, but these offenders already know they're breaking the DPA, so your average day-to-day business that makes a mistake and loses a few laptops is certainly not going to be hit with a business crippling fine if they don't encrypt all their laptop hard drives.
It's very difficult to be seriously negligent without actually knowing about it.
I'm sure offenders know who they are… and we will know too once your name ends up on the naughty list…!