The potential costs of a data protection breach are incalculable, although many breaches do not in fact lead to seriously adverse outcomes. The three main risks are:
• A fine (civil monetary penalty) from the Information Commissioner.
• Compensation to affected individuals for damage and associated distress.
• Reputational damage to the Data Controller responsible.
The maximum fine is £500,000 (but see following chapter). The Information Commissioner’s strategy is to identify particularly serious breaches and impose sufficiently large penalties as to attract attention and encourage others to take steps to avoid ending up in the same situation. Research carried out for the Commissioner in 2014 found evidence that this approach ...