The potential costs of a data protection breach are incalculable, although many breaches do not in fact lead to seriously adverse outcomes. The three main risks are:
• A fine (civil monetary penalty) from the Information Commissioner.
• Compensation to affected individuals for damage and associated distress.
• Reputational damage to the Data Controller responsible.
The maximum fine is £500,000 (but see following chapter). The Information Commissioner’s strategy is to identify particularly serious breaches and impose sufficiently large penalties as to attract attention and encourage others to take steps to avoid ending up in the same situation. Research carried out for the Commissioner in 2014 found evidence that this approach was having the desired effect.
Examples have been given above of fines imposed for security breaches associated with cloud activities. Although a fine could be imposed for a serious breach of any of the eight data protection principles, in fact almost all have been imposed for breaches of the seventh principle – security. Note that in order to attract a fine, there does not have to be any evidence that actual harm has resulted from the breach. Fines have been imposed in cases where the data has either been recovered before it could be misused, or has disappeared without trace and does not appear to have fallen into the wrong hands.
Another feature to note is that the Information Commissioner’s justification for imposing a fine frequently cites the lack of effective policies and procedures, either because they were not specific and detailed enough to address the risks, or because the staff involved were not given sufficient training to be aware of the course of action they were expected to take.
This suggests strongly that all users of cloud-based applications should be given clear guidance and training on how these should be used (or even not used, in the case of personal cloud accounts).
Compensation to individuals is less well reported. Claims must be based on tangible damage.
All enforcement action by the Information Commissioner is published on his website. Action short of a fine can include Enforcement Notices – setting out action to be taken, where failure to comply is a criminal offence – and binding undertakings committing the Data Controller to remedial action. Any of these could, as a result of their publication, lead to reputational damage.
Other costs associated with a breach could include:
• Notifying potentially affected individuals, if this is appropriate.
• Data restoration, where the breach involves loss or damage of important information.