The Information Commissioner can issue a monetary penalty for failing to comply, there are two tiers:
1. The highest €20 million Euros or 4% of the total annual worldwide turnover, whichever is higher. This applies to any failure to comply with the data protection principles, any rights an individual may have, or in relation to transfers of personal data overseas.
2. If there is an infringement of other provisions, the standard maximum amount will apply, which is €10 million Euros or 2% of the total annual worldwide turnover, whichever is higher.
You are likely to incur the wrath of the ICO if you persistently, deliberately or negligently flout the regulations or misuse data. The ICO’s have stated that this will particularly apply to large companies in the technology sector. However many small firms fear the ICO will be heavy-handed in dealing with non-compliance. The Information Commissioner herself has said that small businesses which did not make extensive use of customer data would not come under close scrutiny.
Accountability is one of the key data protection principles – this means that you must be able to demonstrate your compliance. For most small businesses this means you should identify your Information Assets and record what Personal Data is held, where it came from, who you share it with and what you do with it in an Asset Register.