Breaches of UK data protection laws during 2016 attracted some 35 fines totalling £3,245,500 – almost double the 2015 total of 18, an audit firm points out. Now with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to ensure compliance with the General Data Protection Regulation (GDPR), according to PwC.
The firm analysed the UK Information Commissioner’s Office (ICO) data protection enforcement actions over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings. The analysis for 2016 found that that 23 enforcement notices were issued in 2016 – when organisations are required to take steps to ensure compliance after a data breach – compared with the nine notices issued in 2015.
The UK was one of the most active regions for regulatory enforcement action in Europe last year, with Italy (fining 3.3m euros). But whereas the Continental pattern has seen comparatively low volumes of regulatory enforcement actions, with low level financial penalties, this is in stark contrast to the US where fines of about $250m were served, PwC says. Its recent CEO Survey found that 90pc of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is now before GDPR becomes law from May 2018 across the EU. From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability, and data use consent. Organisations that fail to comply could face penalties of up to 4pc of global turnover or €20m depending on which is higher.
Stewart Room, PwC’s global cyber security and data protection legal services leader, said: “The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4 per cent of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year. We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change.
“It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”
Comments
Rob Ashworth, UK Hosting Solutions and SMB at Insight UK, said: “The latest research from PwC highlights that despite repeated calls to action from industry experts, companies in the UK are still struggling to safeguard customer data, continuing to experience the devastating first-hand impact of breaches. With the ever-increasing advancements being made in technology, the amount of data available to businesses is remarkable. Whilst this information can be used towards providing valuable insights about customers, internal operations and employees, holding data comes with great responsibility to keep it secure. The vastness of data organisations now have access to make it complex to track and store safely, yet in light of recent cyber-attacks, it is more important than ever for businesses to take every measure to protect themselves.Whilst investing in people, procedures and technologies helps organisations to become more proactive in their approach to cyber security, it is crucial for businesses to use public breaches as learning opportunities. The more organisations share when an attack has occurred, the better their stance is to defend themselves next time.”
And Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at Fujitsu, said: “We are now in an age where cybercrime and data breaches are inevitable, and with the increasing severity of sanctions against those who fail to put in adequate protection measures, it’s time every business makes cyber-security a priority.”
“Information is the lifeblood and wealth generator of almost every organisation, and anyone holding data, be it of consumers or businesses, is now a target. On the one hand it’s important companies conduct data inventory scans to help discover the relevant data they hold, and understand where it resides. Once that’s done they need to speak to specialists who can help them create a holistic solution that prioritises the protection of critical data. On the other hand, this must work in tandem with a culture shift within organisations that prioritises and creates awareness of protective measures against cyber-crime. Phishing attacks and human error are two of the most common causes of a breach, and the positive thing is organisations do have the power to prevent such instances from happening.”
“As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cyber-security not to be their number one priority. We have seen how data breaches and cyber-attacks do indeed have both reputational and financial ramifications, and its time business took steps to protect themselves.”
