Kate Baldwin, Parliament Street’s comment editor, looks at how ICO fines will decimate companies that haven’t met the minimum requirements of GDPR.
There’s been a significant amount of turbulence around how European laws, regulations and directives will proceed post-Brexit. As exit discussions continue, the Government is naturally keeping its cards to its chest.
One of the few things that the Government very quickly pledged continued support for post-referendum was GDPR – the upcoming General Data Protection Regulations that will come into effect from May 25th, 2018. Under these new obligations for data management, processing and security, companies will face the risk of fines of up to €20 million or 4% of their global annual turnover for the preceding financial year – whichever is the greater – for data breaches.
As it currently stands, the ICO – who would act as the UK’s watchdog – can hand out fines of up to £500,000 when companies contravene the Data Protection Act 1998. GDPR will massively amplify the cost of punitive fines against companies that suffer data breaches.
Analysis by the NCC Group found that if the under the GDPR regulations, the ICO’s fines from 2016, which totaled £880,500, would have cost £69m. In 2015, it would have risen from £1 million to £35m.
With Government figures indicating that just under half of British firms suffered cyberattacks in the past year, rising to two thirds for medium and large companies, it’s clear that businesses aren’t ignorant to the cost of cyberattacks. Lost intellectual property, brand damage and its knock-on impact on stock price have meant that cyberattacks are now a board level issue.
But GDPR will change the games for companies that face cyberattacks. Obligations to report data breaches within 72 hours, as well as the significant penalties if it is considered that the right data protection and cybersecurity processes weren’t in place will have a debilitating impact on businesses that must already face all of the aforementioned challenges.
The countdown is on for businesses to ensure their compliance with GDPR data processing rules, as well as putting comprehensive cybersecurity solutions and processes in place that will not only defend against the evolving threat landscape, but satisfy watchdogs in the event of a breach.
So, you’d think that companies were on it…
But that’s not the case. Research conducted earlier this summer found that only 43% of organisations are preparing for GDPR, while 71% of UK businesses are not aware of the fines.
Organisations of all sizes, from all industries – whether private, public or third sector – need to ensure that their business is compliant before the 25th May 2018. This is no mean feat and experts across the world are actively working with businesses to understand the GDPR regulations and what it means for their business.
If you’re not sure what GDPR means to your organisation and the steps that it should be taking ahead of the deadline, join us at the Parliament Street Tech Frontiers conference, where at 10am Jon Geater, Chief Technology Officer at Thales, Ruth Davis, Head of Cyber Security Strategy at BT Security, and Dan Raywood, Contributing Editor at InfoSecurity Magazine, will be joining me to discuss how businesses can tackle the cybersecurity threat, protect their data and avoid catastrophic financial penalties.
For more information and to buy tickets, see more details on Eventbrite.
