Total fines could top £118 million next year under new data protection regulations
- General Data Protection Regulation becomes law in a year on 25 May
Total fines issued by the Information Commissioner’s Office in the UK for data breaches under new regulations could top £118 million in its first full year as the size of fines regulators can impose soars, says EMW, the commercial law firm and General Data Protection Regulation (GDPR) specialists.
EMW explains that under the new regulations the cap on each fine will be raised to £16.5 million (or 4% of worldwide turnover of the entity being fined) – 33 times more than the current maximum £500,000 fine. £3.6 million in fines were imposed last year*. However, with regulators allowed to impose turnover based fines and with more fineable offences being introduced even this estimated level of fines could prove conservative over the long term.
EMW explains that under the new law the fine that telecommunications company Talk Talk received for a cyber-attack on its systems in October 2015 could have been £73.5 million instead of £400,000.
Businesses of all sizes must be compliant with the new GDPR in just a year, by 25 May 2018. The new regulations place stronger legal obligations on companies and ensure businesses take specific steps to more securely collect, store, and use personal data.
Some of the key changes brought in by the GDPR include:
- The ‘right to be forgotten’ so individuals can ask companies to delete their personal data
- Making it harder for companies to get consent to use data
- Businesses must appoint a data protection officer, who is expected to report directly to the highest management level
Matthew Holman, Principal at EMW, comments: “The GDPR will represent the biggest change to the law relating to data in 20 years and companies are facing significantly higher fines than they do now.”
“Businesses need to be aware that with an increase in reporting obligations on businesses, the ICO is likely to increase the amount of the fines it issues and the number of investigations it undertakes.”
“One of the biggest issues faced by businesses is lack of senior management buy-in. Larger businesses are mostly on top of compliance, but businesses of all sizes, no matter how small, need to reach that point, however many are nowhere near it. The GDPR will apply to all businesses, regardless of size, sector, or turnover.”
“When the GDPR arrives in just a year’s time, the reality of implementation will almost certainly take many businesses by surprise. Average industry estimates for creation and execution of a GDPR compliance project is 12 to 15 months, so for those businesses that have not started the clock is really ticking for them to begin.”
“Email data represents one of the biggest challenges for compliance. Failure to respond promptly to subject access requests or right to be forgotten requests could result in significant fines, and the more email data you have, the harder it is to respond quickly and in a compliant manner.”
“Awareness amongst members of the public and employees of their rights is increasing, which in turn means there is likely to be a spike in subject access request and new right to be forgotten requests.”
*2016-17 (fines up until May 17).