From 6 April 2010, the Information Commissioner’s Office (ICO) will be empowered to fine organisations up to half a million pounds for serious breaches of the Data Protection Act 1998. Custodial sentences for criminal offences under the Act may also be on the way.

It’s one of the fundamental principles of the Data Protection Act that organisations collecting data must put in place adequate security measures to protect it,” says Grant Campbell of Brodies, who specialises in data protection.

“There are now more incentives than ever to comply with this principle. An organisation’s reputation can be significantly damaged by a careless disclosure of customer or employee data or other breach of information security.

Traditionally this “reputational risk” has carried a far greater deterrent effect than the legal sanctions available to the ICO. However, from 6 April this year, the Information Commissioner’s Office will be able to order organisations to pay a fine of up to £500,000 for certain serious breaches of the Data Protection Act.”

Campbell adds: “The Ministry of Justice has also just finished consulting on its proposal to use powers under the Criminal Justice and Immigration Act 2008 to amend the Data Protection Act by introducing custodial sentences of up to two years for the knowing or reckless misuse of personal information.”

Security problems can be related to misuse or loss of company data, improper use of company IT assets, intrusion, attack and e-mail and Web abuse. Different solutions are available to business. There are programmes, policies and processes to mitigate risk but that risk needs comprehensive assessment at the outset.

There are simple steps organisations can take now; otherwise the consequences of not being aware of the changes and not being ready to mitigate risk could be catastrophic for a business.