Of the 91 enforcement actions for breaches of current data protection laws taken by the Information Commissioner’s Office (ICO) last year, 54 monetary penalties were issued to UK organisations totalling £4,207,500. That’s an increase of nearly one million pounds over the previous year (35 fines with a total of £3,245,500). With the biggest changes to data protection law for over 20 years coming into force tomorrow in the form of the European Union’s General Data Protection Regulation (GDPR), organisations risk larger fines in the year ahead if they fail to ensure compliance.
As part of the global Privacy and Security Enforcement Tracker, PwC has analysed the ICO’s data protection enforcement actions over the past four years, looking at monetary penalties, enforcement notices, prosecutions and undertakings. The ICO can currently issue monetary penalties of up to £500,000. PwC’s analysis found that, in 2017, 14 of the 54 fines issued (26%) were of more than £100,000. Under the new GDPR, the fines for failing to comply can be up to 4% of global turnover or €20 million, depending on which is higher.
Stewart Room, lead partner for GDPR and data protection at PwC, commented: “Our analysis found that almost half of last year’s UK data protection enforcement actions were due to marketing infringements, but security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure. These are key areas for organisations to be mindful of as we move into this new era for data protection.”
Room continued: “The ICO has made it clear, however, that the GDPR is not about the increased fines and the maximum certainly will not be the norm. It’s really about putting consumer rights at the heart of today’s data-centric world. There’s an option for organisations here. They simply see the GDPR as a compliance exercise or embrace it and use it as an opportunity to forge ahead of their competitors and win consumer trust.”
In addition, Room observed: “Signs of progress are very encouraging. At Board tables all over the world we are hearing a refreshing new regard for personal data and, in that sense, the GDPR has already been a great success. Findings from our GDPR Readiness Assessments, which we’ve run with over 220 clients globally over the last two years, show that, in general, highly regulated sectors such as healthcare and financial services, which are used to dealing with regulatory change, tend to have a slight margin over others in terms of their preparedness.”
Realistically, despite the two years of preparation time, many organisations will not be fully compliant when the GDPR comes into force because of its sheer complexity and the widespread business process changes often required.
Designed to continue to support its myriad clients in this new data protection era, PwC will launch its MyDPO range of services on 25 May. These services will support Data Protection Officers and their teams to respond in the event of crisis situations (such as the new 72-hour data breach disclosure rule), as well as assess compliance and breach readiness and deal with ongoing data protection strategy and governance work. Managing privacy mailboxes would fall into the latter category.
*PwC’s 2017 Privacy and Security Enforcement Tracker global report can be downloaded here. An interactive tool is also available on the same page to explore UK and global statistics in more detail
**The results of PwC’s GDPR Readiness Assessments run with nearly 250 clients can be explored in a separate interactive tool here
Information Commissioner welcomes Data Protection Act 2018 and EU’s GDPR
Nearly a year after its announcement in the Queen’s Speech, the Data Protection Bill has worked its way through Parliament with much debate and, following on from Royal Assent, is ready to move into UK law as the new Data Protection Act 2018.
Information Commissioner Elizabeth Denham stated: “As the data protection authority for the UK, the ICO is eager to embrace the changes it brings and begin regulating the new UK and EU legislation that, from 25 May, will make our country one of the world’s most progressive data protection regimes.”
Denham continued: “The previous Data Protection Act, passed a generation ago, failed to account for today’s Internet and digital technologies, social media and Big Data. The new Act updates data protection laws in the UK, and sits alongside the GDPR. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”
The UK’s growing digital economy relies on consumer trust to make it work. The Act, along with the GDPR, provides a modernised and comprehensive package to protect people’s personal data in order to build that trust.
“Our personal data is a version of each of us,” said Denham. “What we’ve done, what we’ve read, where we’ve been and who is in our network. It’s our health status, our financial decisions, our political beliefs and affiliations. Our desire to book a flight, update our browser or sign up for a service should not be governed merely by Terms and Conditions set by an organisation. Life is too short to decipher fine print. The new laws provide tools and strengthened rights to allow people to take back control of their personal data. The legislation requires increased transparency and accountability from organisations and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data.”
Not about fines
Although the ICO will be able to impose much larger fines, Denham is adamant that this law is not about fines. “It’s about putting the consumer and citizen first. Telling people we cannot lose sight of that.”
As far as Denham’s concerned, the creation of the Data Protection Act 2018 is not an end point. Rather, it’s just the beginning, in much the same way that preparations for the GDPR don’t end tomorrow. “From 25 May, we’ll be enforcing the GDPR and the new Act, but we all know that effective data protection requires clear evidence of commitment and ongoing effort. It’s an evolutionary process for organisations. No business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”