You are here

How to avoid and tackle an ICO monetary penalty notice

'You may be able to bring the level of the fine down', says Hazel Grant

5 June 2014

Add comment

By Manju Manglani, Editor (@ManjuManglani)

Firms are increasingly at risk of punitive damages and bad publicity for data protection breaches as a result of increased mobile working by staff and clients.

That's the view that emerged yesterday at Ark Group's Data Protection Conference 2014, which considered the regulatory challenges and how firms can ensure they are safe from prosecution.

The proliferation of data, its storage and the range of devices on which it is held are creating inherent risks in the digital world, warned Rosemary Jay, a senior attorney at Hunton & Williams.

The digitalisation of business processes has led to a "rise in compounded risk of negligent or deliberate data loss or data theft (internal and external)," she said.

Managing this risk "requires continuous education, monitoring and holistic approach to data privacy and information security," she added.

Agreeing, Veronica Fraser, head of data protection and information risk management at the UK Department of Health, said: "Just as a puppy is not just for Christmas - it's for life - you also need to have a lifetime data protection plan."

Jay suggested that the building blocks of an effective privacy programme are: data collection and marketing; DPA notifications and authorisations; data transfer mechanisms; data sharing and processing agreements; information security; governance, policies and training; and records management.

Jay believes this involves the effective interconnection of auditing and response; leadership and oversight; information audit and risk assessment; policies, procedures and people; privacy by design; and training and communication. Central to each of these is "accountability and effective compliance", she said.

Added Fraser: "Find your champions if you can - the ICO is your friend and your enemy, your trainer and your regulator. If you don't want to invite the ICO into your office to give you a voluntary audit, ask your 'next-door neighbour' to do a reciprocal unofficial audit of your data. Use what opportunities you can."

Challenging a notice of intent

Firms that fail to have adequate safeguards in place are at greater risk of being issued with a monetary penalty notice by the Information Commissioner's Office (ICO), speakers warned.

In the eventuality that your firm is issued a notice of intent, you should always send back representations to challenge it, said Hazel Grant, a partner at Bristows.

"It is important to do so as it could help you to reduce that fine and change what is published in the penalty notice," she said, noting that there is often a lot of publicity generated about fines on organisations and the reasons for them.

The key, advised Grant, is to demonstrate your organisation's intention to ensure data protection compliance by recording and storing all efforts as they are made so that they are easily accessible if your organisation receives a notice of intent.

"Prepare for a doomsday scenario and put a pack together in advance that can show the ICO how good your organisation is at data protection compliance," recommended Grant.

"Keep some documentation ready to go in a nice thick folder for the ICO - this will help to convince it that you take data protection compliance seriously and that this was just an unfortunate accident that happened," she said.

Grant suggested referring to the ICO's guidance on how it measures the seriousness of a contravention, which will help to inform the steps that your firm can take to minimise the fine.

"If you have a breach that is serious but has aggravating or mitigating factors, you may be able to bring the level of the fine down," advised Grant.

"Have you confessed about the breach to the ICO? Have you been amenable? Have you followed their advice? Have your senior management appeared to be concerned? Have you declined an audit? Your general record of compliance is important."

Grant noted that the objective of the monetary penalty notice is for it to serve as a deterrent to peer organisations behaving in a similar manner and as a sanction for non-compliance.

"The MPN is a good thing because it converts a legal risk into a business risk, it also makes it easier to justify investing in managing those risks. A fine without publicity does not have the same power - it enhances the deterrent effect for others in the same industry," she said.

"If you have received a notice of intent, it is unlikely you will be able to avoid a fine. But, you can influence what is said in the monetary penalty notice and you can influence the amount of the fine. It is unlikely that you will be able to convince the ICO that they have all of their facts wrong and avoid a fine and MPN altogether," said Grant.

Concluded James Derby, a corporate solicitor at Croydon Council: "If you have a data breach, if the ICO comes knocking on your door, you need to already have the safeguards in place so that you are protected. Do an audit and put the right safeguards in place now."





Categorised in:

Finance Risk & Compliance Technology