With the change in fine level for serious breaches of the Data Protection Act (1998) rising from the inadequate £5000 to business closing £500,000, company boards need to re-assess the business cases for introduction of privacy technologies. It is my view that in the past many commercial organisations made a blunt Cost vs Risk analysis and made the decision that they would accept the fines rather than implement protection. Those industries where the consequences were far higher such as retail and PCIDSS compliance, companies addressed this small portion of data privacy, (often outsourcing it completely, so they had no visibility of data that risked their position) yet left other equally sensitive data unprotected.

With the costs of failure changing the risk analysis needs to be revisited. Some may still decide that not implementing is “cheaper” and accept the fines, however be aware there is also the chance of custodial sentences being touted and could be the deciding factor.

To help with quantifying the costs of Privacy “failures” the ICO has just released the Privacy Dividend guide available here

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_dividend.pdf