The UK’s Information Commissioner’s Office has pledged to tread gently in the early days of implementing new data protection laws it believes signal one of the biggest changes to the country’s online security to date.
Data protection chief David Smith told a security conference the ICO will initially put enforcement on hold to allow ISPs time to adapt to new legal requirements on reporting data breaches, and said the focus of the new laws in the early days will be on major ISPs, mobile operators, and incumbent telco BT.
Despite pledging to go easy, Smith told delegates the regulation changes “need to be taken seriously,” particularly rules covering consent to cookies, which allow users to opt-out of the information storage system for non-essential services, The Inquirer reports.
However, an investigation by ViaSat into ICO enforcement calls the strength of Smith’s assertions into question, revealing the body punished just 1% of firms found to have breached the UK Data Protection Act in the past year. Most of the firms punished are public sector companies, despite a higher number of breaches by private outfits, The Guardian reports.
ViaSat’s analysis reveals the ICO took action in 36 of 2,565 data breaches since being awarded the power to issue monetary fines in April 2010, but that financial penalties were issued in just 4 of the 36 cases.
An ICO spokesman explained to the Guardian that fines aren’t necessarily the best means to ensure compliance with the Act. “The existence of civil monetary penalties has had a markedly beneficial effect on compliance generally. The big stick is there, but doesn't need to be deployed all the time to have an effect,” he said.