UK ICO recommends company directors have personal liability for data breaches

The UK's Information Commissioner has given recommendations to a House of Commons Committee detailing why (amongst other things), company directors should be held personally accountable for breach of data protection laws.

Much is going to change under the GDPR - but are companies ready for it?
Much is going to change under the GDPR - but are companies ready for it?

The UK's Information Commissioner, Elizabeth Denham, recently recommended at a Parliamentary meeting to discuss the draft Digital Economy Bill, that the government should hold company directors with personal liability and accountability for data breaches.

Under current laws, directors of companies generally have no personal liability or accountability for breaches of data protection law committed by their companies.

Denham gave evidence to a House of Commons Public Bill Committee on the 13th of October, detailing the ICO's recommendations for the Digital Economy Bill, one of which was support for making directors personally liable for breaches of data protection law by their companies.

Denham claimed that the ICO issued a total of £4 million in fines in the last year, and only collected a small percentage of that sum. This is down to companies who had committed serious breaches of data protection law would shut down following the fine, quickly re-opening with the same management, staff and premises only with a new corporate identity.

The ICO recently imposed a fine of £400,000 on UK ISP TalkTalk, which was its largest fine ever for a breach of data protection law. With the General Data Protection Regulation's honeymoon period ending on the 25 May 2018, it will give the ICO the power to impose fines of up to the greater sum of €20 million or 4 percent of worldwide turnover.

While data protection is not a main focus for the Digital Economy Bill, it is clear that a number of its proposed provisions could have a significant impact on data protection compliance obligations for businesses. It remains to be seen whether that proposal will be included in the final Bill.

Some have claimed that the recommendation shows the Commissioner is willing to take stronger action against businesses who fail to abide by data protection laws.

Sign up to our newsletters