500,000-pound data protection fines are simply not enough

Half a million pounds. It’s enough to buy you a third-tier footballer; maybe a teenager with a suspect temperament or a journeyman with a tendency to pick up injuries. It’s a modest bonus for a mid-tier banker. It’s the price of a three-bedroom terraced house in the less desirable parts of the London Borough of Richmond. And as of today it’s the maximum fine for companies that fail to protect data adequately and thereby incur the wrath of that flea-bitten old watchdog, the Information Commissioner’s Office.

Although it’s a relatively large increase on the previous (and utterly risible) penalty, it’s a sum that is neither one thing nor the other, ‘nowt nor owt’. It might scare a small business but guidance suggests that fines will be handed out in line with size of organisation. So the full half-a-million is only likely to be applied to large organisations that pay leading executives significantly more in salary.

Despite acres of coverage and analysis suggesting this is some new get-tough measure, it’s hardly likely to change the way organisations handle data. If they’re not worried by reputational risk, they’re unlikely to be worried by a fine.

And for the enormous IT security sector, it’s probably not going to change matters too much either.

“I’ve not been dancing around my lawn saying ‘happy days’,” said Richard Turner, CEO of Clearswift, when I spoke to him this morning. His sensible belief is that we need to “stop thinking about security as walls, moats and fortresses” and “move data security away from the IT department” so that there is a measured view of permissions and controls depending on sensitivity of information. He’s philosophically against lockdown “because people will get all sorts of lengths to get around it”.

Fair enough, although I suspect that some sort of dictatorial stance might be what is required at many organisations. It’s an unfashionable view but treating workplaces as, you know, places to work, might have to come back into the equation alongside the fundamentals of technological controls and training. And I doubt very much that £500,000 fines – shades of Dr Evil in Austin Powers — will make a great deal of difference one way or the other.