As if there has not been enough doom and gloom over the impending General Data Protection Regulation (GDPR), a new study makes for even more grim reading by showing that last year’s fines dished out by the Information Commissioner’s Office would be 79 times higher – soaring from £880,500 to £69m – under the new regime.
The ICO can currently apply fines of up to £500,000 for contraventions of the Data Protection Act 1998 but once GDPR comes into force on May 25, 2018, there will be a two-tiered sanction regime.
Lesser incidents will be subject to a maximum fine of either €10m (£7.9m) or 2% of an organisation’s global turnover (whichever is greater), while the most serious violations could result in fines of up to €20m or 4% of turnover (whichever is greater).
NCC Group’s security consultants studied all ICO fines from 2015 and 2016. Using the current maximum penalty as a guide, it created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.
As already reported by Decision Marketing, TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to nearly £60m under GDPR. Fines given to small and medium-sized enterprises could have been disasterous, with Pharmacy2U’s fine of £130,000 ballooning to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.
Little wonder then, that many companies are fearing the worst.
The 2015 penalties would also have risen drastically from £1m to £35m under the same calculation.
Roger Rawlinson, managing director of NCC Group’s assurance division, said: “GDPR isn’t just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.
“Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.”
TalkTalk could have faced £70m fine under GDPR
20% of firms fear ruin as GDPR panic spreads globally
ICO insists GDPR guidance will cover legitimate interest
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims
Half of all firms still not compliant with 1998 data laws
Data compensation claims ‘could run into millions’