Breaches of UK data protection laws during 2016 attracted no less than 35 fines totalling £3,245,500. That’s almost double the 2015 total of 18. Now, with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to ensure compliance with the forthcoming European Union General Data Protection Regulation (GDPR).
PwC has analysed data protection enforcement actions conducted by the Information Commissioner’s Office (ICO) over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings. The analysis for 2016 finds that 23 enforcement notices were issued (whereupon organisations are required to take steps to ensure compliance after a data breach). This represents a 155% increase on the nine notices issued during the course of 2015.
The UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3 million), but whereas the European pattern has seen comparatively low volumes of regulatory enforcement actions (and with low level financial penalties), this is in stark contrast to the US where fines of approximately $250 million were served.
Impact on stakeholder trust
PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is right now before the GDPR becomes law across the EU as of 25 May 2018. From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability and data use consent. Organisations that fail to comply could face penalties of up to 4% of global turnover or €20 million (depending on which is higher).
Stewart Room, PwC’s global cyber security and data protection legal services leader, commented: “At present, the ICO can issue fines of up to £500,000, but with this set to increase to up to 4% of global turnover under the new GDPR, UK organisations must use the remaining time to prepare for compliance ahead of next year.”
Room added: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis in order to deliver real operational change. It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what’s essentially a code for good business, wherein privacy by design becomes part of everyday operations?”
Lack of awareness
84% of the UK’s small business owners and 43% of senior executives of large companies are unaware of the forthcoming GDPR. Shred-It’s seventh annual Security Tracker Survey also finds that only 14% of small business owners and 31% of senior executives are able to correctly identify the potential fine associated with the new law. This is despite a large proportion of senior executives (95%) and small business owners (87%) claiming to have at least some understanding of their industry’s legal requirements.
Businesses which are unaware of the forthcoming legislation and its implications are not only putting themselves at risk of severe financial penalties, but also the reputational damage caused by adverse publicity associated with falling foul of the law. This can often have a greater impact than the fine itself. Research shows that 64% of executives agree their organisation’s privacy and data protection practices contribute towards reputation and brand image.
Of those respondents who claim to be aware of the legislative change, only 40% of senior executives have already begun to take action in preparation for the GDPR, in spite of 60% agreeing that the change in legislation would put pressure on their business to change its policies related to information security.
The in-depth survey also highlights that companies feel the UK Government needs to take more action. 41% of small business owners (representing an 8% increase from 2016) believe that the Government’s commitment to information security needs improvement.
Proactive approach needed
Robert Guice, senior vice-president at Shred-It, explained: “As we approach May 2018, it’s crucial that organisations of all sizes begin to take a proactive approach in preparing for the incoming GDPR. From implementing stricter internal data protection procedures such as staff training, internal processing audits and reviews of HR policies through to ensuring greater transparency around the use of personal information, businesses simply must be fully aware of how the legislation will affect their company to ensure that they’re fully compliant.”
Guice concluded: “Government bodies such as the ICO must take a leading role in supporting businesses around GDPR ‘readiness’ by helping them to understand the preparation needed and the urgency in acting now. The closer Government, information security experts and UK businesses can work together, the better equipped organisations will find themselves come next May.”