FutureSoft issues warning over the need for companies to be prepared to comply with the latest revisions of the Data Protection Act to be enforced from June
FutureSoft highlights the fact that businesses and financial institutions could face financial penalties if they fail to implement adequate measures to protect sensitive personal information over the next three months. Details of the new civil monetary penalties, in line with internal government targets and ministerial commitments, were due to be published in March, in time for their enforcement by the end of June. However, this date has subsequently passed.
“Businesses need to face up to the challenge of securing sensitive data. It is imperative that they take adequate measures to protect personal data, regardless of the timetable for regulatory sanctions,” explains Tim Farrell, FutureSoft CEO and data security specialist . “Recent data loss has seriously harmed the reputation and effectiveness of UK business. Organisations, now more than ever, need to ensure that they take reasonable care to secure sensitive personal data.”
Under the new s55A of the Data Protection Act, the Information Commissioner was supposed to have been given the power to impose civil monetary penalties on businesses failing to protect sensitive personal information by implementing reasonable measures, if such data is subsequently lost. Despite Lord Bach’s commitment to empowering the data commissioner ‘as soon as possible’, the provision for statutory penalties has not yet been ‘activated’ by the necessary statutory instrument. FutureSoft understands that the Ministry of Justice was set an internal target, at ministerial level, to finalise and implement the regime of civil monetary penalties before the parliamentary summer recess, ‘at the latest.’ Government good practice is to provide statutory guidance twelve weeks before legislation comes into force, the date of which has now passed.
“As a minimum, personal data should be secured from downloading, be adequately encrypted in transit and access, restricted by using the appropriate technology. The reasonable measures demanded by law are likely to entail both intelligent management and the deployment of robust endpoint security,”, surmises Farrell.
Lord Bach’s commitment and original target was in line with a later recommendation of the House of Lords Select Committee on the Constitution, to implementing the penalties ‘as soon as possible’. However, at the beginning of March, Mick Gorrill, the Assistant Data Commissioner, admitted that the maximum penalties had yet to be prescribed, and there is, as yet, no sign of the statutory guidance.
|
