A warning has come from The PCI Security Standards Council that failure by UK firms to prepare for the introduction of the European Union’s General Data Protection Regulation (GDPR) in 2018 could mean big fines.
The PCI has pointed out that under GDPR, groups of companies could be facing fines of up to €20m or 4% of annual worldwide turnover, whichever is greatest for data breaches. These kinds of fines far exceed the current £500,000 fine.
Why UK Firms?
The UK’s poor record on preventing data breaches is one of the main reasons why UK firms will need to be particularly careful. For example, if data breaches here remain at 2015 levels (based upon a fine of 4% maximum global turnover under GDPR) UK companies could end up paying a 90-fold increase in fines to the European regulator - perhaps as much as £122bn.
For large UK businesses, this could equate to a 130-fold increase in regulatory fines for data breaches, and SMEs could see a 57-fold increase in regulatory fines for data breaches. This equates to as much as an average of £13,000 per SME!
Not Just Fines.
As companies who have experienced very large and very widely reported data breaches would know, the fines are just one part of the potential damage. There would also be the effects (perhaps long-lasting) of the damage to reputation, the serious disruption to the business (especially if there is no DRP and BC planning in place), and the loss of revenue. It is not unusual for serious data breaches to lead to the demise of the business.
Two Tiered Danger.
GDPR will, in fact, bring in a 2 tiered approach to sanctions, so it’s not just the most serious kinds of data breaches that UK businesses will have to guard against. For example, the regulation allows for fines of up to €10m or 2% of global annual turnover, whichever is greater, for breaches considered less serious.
Warning From New UK Information Commissioner.
New Information Commissioner, Elizabeth Denham, recently warned UK businesses that although the ICO can fine companies up to £500,000 at the moment, this could rise in line with GDPR to 4% of a business’s global turnover.
She also warned that organisations need to take responsibility for their actions, despite the pace of technological change. It’s also bad news for those hoping that GDPR would not apply with Brexit as Denham has stated that GDPR would be live here before the UK left the EU.
What Does This Mean For Your Business?
It is clear that there is no escaping GDPR before Brexit so UK businesses need to become very familiar with the requirements of GDPR to ensure compliance. UK businesses also need to address the root problem by acting now to prevent detect and respond well to cyber attacks that could lead to data breaches.