The new statute was laid before Parliament on 12 January.
The Information Commissioner's Office will be able to issue fines of up to £500,000 for serious data security breaches.
The new rule is expected to come into force in the UK on 6 April 2010. It has been approved by Jack Straw MP, Secretary of State for Justice.
The size of the fine will be determined after an investigation to assess the gravity of the breach.
Other factors will include the size and finances of the organisation at fault.
Individual cases will also be assessed on whether the breach was accidental or deliberate, and how much distress the leak of information caused.
There have been several high profile data losses in recent years from large organisations including the Ministry of Defence and the DVLA (Driver and Vehicle Licensing Agency).
In an official press statement, Information Commissioner, Christopher Graham said he hoped the penalty would encourage companies to comply more closely with the Data Protection Act.
"These penalties are designed to act as a deterrent," he said in a press statement.
"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
The original Act came into force in 1984 but today enormous amounts of personal data are stored and processed online.
"When things go wrong, a security breach can cause real harm and great distress to thousands of people," added Mr Graham.
Under the most recent Act of 1998, data can only be used for the purposes for which it is collected and cannot be given to others without the consent of the individual.
Everybody has the right to see information that is held about them, with the exception of crime-related data.