The Information Commissioner's Office (ICO) is reportedly handing out fines to less than one per cent of organisations who breach the Data Protection Act (DPA) depsite releasing heavy warnings, according to a freedom of information (FoI) request put forward by encryption firm ViaSat.
The study by ViaSat, discovered that only 36 out of 2,565 data breaches were acted on by the ICO and just four cases resulted in monetary fines.
The ICO has had the power to fine organisations up to £500,000 for breaching the DPA since April last year, but the total brought in so far has only reached £310,000.
ICO has claimed there was "certain criteria" necessary to impose monetary penalties and they were only enforced for "the most serious breaches...causing serious distress."
A spokesperson said: "Our focus as a regulator is on getting bodies to comply with the [DPA]. This isn't always best achieved by issuing organisations or businesses with monetary penalties."
"The action we will take depends entirely on the details of each individual case. The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn't need to be deployed all the time to have an effect."
Chris McIntosh, chief executive (CEO) of ViaSat, doubted this theory though.
"The ICO has stated that the embarrassment and poor image of a fine will act as a deterrent and an incentive to improve an organisation's grasp of the data protection act," he said. "However, if fines are rare and well below the maximum allowed limit, their value as a deterrent drops."
"Organisations will view the rarity of a fine and the associated negative publicity the same way they have viewed the threat of a data breach itself: an event that only happens to other people."
Return to internet news headlines
View Internet News Archive