More of a topic of discussion, specifically in terms of GDPR breaches. I talk predominantly around the monetary fines that can be handed out.
Recently it was revealed that a "Coding Error" in an NHS England system caused a perceived data breach, and contravened GDPR stipulations. The Information Commissioners Office was informed and no doubt it will be investigated.
My question is: Are monetary fines the answer in such situations? To remove vast sums of money from this organisation, like many others, may cause severe harm to the way it operates in the immediate aftermath, with undoubted reduction in services, and/or potential loss of employment. It would appear the effect might reach down the ranks as well as up them, and who knows what sort of effect it could have.
The next question is, what would be a better option in such cases? Is there a better option, even?
Now to be clear I'm not being intentionally naive here, I appreciate the fines or any other action taken will be proportionate to the offence, and I know it's likely money wouldn't be removed from public serving areas, but that raises yet more questions.
If you'd like to read any more on the NHS coding error the link is below.
In my opinion, I believe this is why the ICO take a pragmatic approach. It serves no one's interests for huge fines taking a cut out of the NHS budget. The fines only end back up in the Treasury which will be reallocated as part of general government spending. Whose interest does that serve? Certainly not the tax payer or the data subjects affected as I can't see this motivating change.
The best way forward for public sector organisations is to enforce real accountability at the top and this in turn will motivate behavioural change and investment into systems and processes to safeguard personal data, but there seems to be no willingness to do this on the part of government at the moment. It seems to be a Pandora's box that no one wants to open.
As someone who has worked in both the public and private sector; I agree that this is an important point and have seen the differences up close.
The fundamental aim should be, as Felix mentions above, to enforce accountability and behavioral change at the highest level of sensitive data handling organisations.
The best method of doing so might be by financial punishment in many cases. For private organisations this approach may be the most effective.
Public sector organisations are, of course, judged on financial performance but that metric is sometimes less heavily weighted than a typical private company.
Also, there is a positive correlation between the difficult of affecting change in an organisation, the size of the organisation and the degree of internal politics.