The ICO considers the new power essential to its enforcement strategy and a powerful deterrent to organisations contravening, overlooking or being merely careless with data protection compliance. The power to impose a monetary penalty notice is designed to deal with serious breaches of the DPA and is part of the ICO’s overall regulatory toolkit. It is important to note that the Information Commissioner will take a pragmatic and proportionate approach to issuing an organisation with a monetary penalty. Factors will be taken into account (including an organisation’s financial resources, sector, size and the severity of the data breach) to ensure that undue financial hardship is not imposed on an organisation. Additionally, prompt payment, within 28 days of the penalty notice, will lead to a 20 per cent reduction in such a penalty.
For a data breach to attract a monetary penalty the Information Commissioner must be satisfied that there has been a serious breach that was likely to cause damage or distress (not just financial), it was either deliberate or negligent ( i.e. the data controller must have known that there was a risk that a contravention would occur) and the organisation failed to take reasonable steps to prevent it. Therefore, organisations must be aware that where they have been advised to put data protection policies in place and have subsequently failed to do so, they will be liable for a financial penalty. Similarly, if an organisation collects data for one purpose and deliberately uses it for another this will also incur a financial penalty.
