These days it’s very rare that you get offered something for nothing.  It’s exceptionally rare for a business to be offered a free service which could save it hundreds of thousands of pounds.  So why then, is it that the take up of a free data protection audit from the ICO (Information Commissioners Office) has been so poorly received by the private sector?

From 2010, Small businesses across the UK can now be fined up to £500,000 in the event of a data security breach.  The ICO had previously only had the power to levy a fine of £5,000 to companies and individuals for serious breaches of the Data Protection Act, but these new measures are expected to act as an effective deterrent to improve data security within the UK economy.

In 2009, 41% of companies in the UK reported severe breaches in data security.  These breaches can come from internal sources or from external attack.  In 2010, 7Safe, an information security and forensic computing consultancy company, said that this figure had increased to 66%.  According to the research, 80% of attacks on data came from sources external to the organisation, while 18% came from business partners.  It seems that businesses are simply not seeing the severity of not managing their company documents effectively with stringent data security policies and comprehensive training of their employees in compliant records management practices.  It might sound really petty, but holding onto data too long, disposing it too soon or failing to provide documented evidence of its disposal are all reasons you could be fined.  Under this new legislation even CDs, DVDs and hard drives are covered.  “Well, I’ll just hold on to everything – just to be safe”,    I hear you say.  Well, actually, no, this too can be a breach.  Simply holding onto everything as a safeguard will not work and can easily result in you being fined.

You might also think that a fine of £500,000 is only reserved for the large organisations.  Again, you would be wrong.   Any size company can be fined, and already have (the ICO’s annual report includes some very good case studies) however, it is the small businesses which seem to not place enough importance on records management which causes them to fall foul of the Data Protection Act.  Invoices, company reports, payroll, HR and customer lists are all highly confidential and need to be stored, managed and destroyed securely and professionally.  Educating your employees to recognise these different types of company documents and how to manage them will help prevent leaks of this kind occurring.

When you consider that since last April the maximum fine for serious breaches of the Data Security Act was raised to £500,000, you would have thought that any review or advice, especially free, would have been snapped up by companies large and small, however, according to the ICO’s annual report only 19% of businesses in the private sector accepted their offer, while 71% of organisations from the public sector rose to the challenge.

So why the reluctance to agree to an audit?  An ICO Audit or ‘good practice audit’ are designed to help organisations meet their data protection obligations through sharing good practice and making helpful and practical recommendations.  The ICO say that consensual audits are seen as key in proactively working with data controllers to help and educate organisations to meet their data protection obligations.  Out of those organisations who agreed to an audit, 92% of the recommendations which were suggested were acted upon, which for the organisation and the sensitive data they manage can only be a positive move in the right direction.