Companies face financial ruin with new Data Protection fines

The Data Protection moved up a gear today when the UK government announced that the Information Commissioner had now been given the power to fine companies up to £500,000 for not taking adequate steps to prevent data loss.

The implications of this for any organisation holding personal data are potentially devastating - but rightly guard against the theft or loss of sensitive information after years of one scandal after another. From laptop theft to USB stick loss, millions of people across the UK have been affected by their data falling into the hands of those with less than legal intent.

A survey by Cyber-Ark has revealed that most UK businesses are completely unaware of the legislative powers that have been applied and that few, if any, do anything to warn employees of the company legal responsibility to protect customer data.

So, how does this impact your business?

The simple fact is that if you or your employees carry devices that hold customer information - you are at risk if you make no attempt to to encrypt or protect that data. Files on USB sticks, spreadsheets or databases on laptops, information on mobile devices such as iPhones, even the data on personal computers or servers that might be stolen - if the data on any of these devices is not password protected or encrypted then you are in real risk of a crippling action.

In the event of data loss it will be the responsibility of the business to demonstrate to the Information Commissioner that they took adequate steps to guard against the data being read or re-used by the hands it falls in to.

The law could also apply to companies with websites that do not take adequate steps to protect the potential for hacking and theft of data.

Our advice is relatively easy to absorb. If you have not addressed the issue of password protecting or encrypting files already - you have been warned. The time to leave it to chance has long since gone. If you think you can handle a fine of £500,000 - well you work in a braver company than we do.

The risk

The majority of people reading this article will quickly realise they are not taking anything like sufficient steps to protect data.

From your trusty USB stick to your laptop - almost every executive, manager or employee we can think of will, at some time, carry data that is not protected in any way, shape or form. If you lose that CD that has your customer database on it, with their telephone numbers, or whatever it may be - you run the very real risk of that data falling into the wrong hands, being misused and the Information Commissioner asking you some very awkward questions indeed.

Ignorance will be no excuse. Whilst we think the government has communicated data protection law incredibly poorly it will not stand up in a court when you say you did not realise you had to protect personal information. If you think about it, you would be annoyed if your information was subject to theft or loss and your privacy was compromised as a result of it. Your customers are no different.

Resolving the potential for loss may not be as bad as might be thought. Even demonstrating a procedure or instruction against loss will guard you against the heavy fines - but doing nothing will not.