ICO: Fines are effective at improving data protection compliance

Recent research by the ICO on the Impact of Civil Monetary Penalties (CMPs) suggests that organisations that have been issued with a fine now take their data protection obligations seriously, with revised practices and policies, and increased staff training. All in all, the affected organisations gave data protection a higher profile which manifested itself in greater senior management buy-in and increased staff awareness.

This positive impact even extended to peer organisations that had not been fined. ‘A substantial proportion of this sample said that they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations’ the ICO said. In this group, 58% of organisations said that senior management had taken a greater interest in data protection because of CMPs.

The research is based on in-depth telephone interviews with 14 organisations who had received a CMP. This sample was made up of seven local authorities, three private companies, one local health authority, one police force, one central government department and one regulator. All these organisations had self-reported their breach to the ICO.

The second group to take part in the research consisted of 85 ‘peer’ organisations from similar sectors who had not received a CMP. The majority of organisations in this group thought that the ICO should do more to publicise the fines it issues.

The paper was published on 23 July 2014.