The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018. Many businesses have not started to take countermeasures to review their data protection.
Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015. If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.
Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.
These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation. Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.
The message is clear – businesses cannot afford to dally. Whatever the size, all organisations need to start their preparations now. Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat. Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.