Personal Liable for Data Protection?

The Information Commissioner wants all directors to be made personally liable for any breaches of data protection laws committed by their companies.

All companies, regardless of their size, are legally required to comply with the Data Protection Act 1998. As the law currently stands, where a company breaches the Act the directors cannot generally be held personally liable – the breach rests solely with the company. However, if the Information Commissioner, gets there way this position is soon going to change. In October 2016, Elizabeth Denham gave a number of recommendations to a parliamentary committee in respect of the Digital Economy Bill which is expected to become law in early 2017.

Shutting up. The Information Commissioner has stated that, in the last year alone, fines imposed on companies for breaches of the Act – which the Information Commissioner’s Office enforces – totalled £4 million. Despite this, “only a small percentage” of those fines have been collected. According to the Information Commissioner, this is because many companies that breach data protection laws simply shut down following an Information Commissioner’s Office fine, only to “promptly reopen with the same management, staff and premises in a new corporate entity”. The Information Commissioner believes that personal liability would prevent this.

On this basis, it’s probably worth all directors refreshing their Knowledge of the Data protection Act and their legal obligations. The Information Commissioner’s Office has a number of online training materials and guidance notes which can be accessed free of charge.

personal liable data protection