New research from PwC reveals that the Information Commissioner’s Office (ICO) levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.
Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.
Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.
This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.
PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.
It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?
News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to compromise. This represents two thirds of the company’s customer base.
Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.
A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices. We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.
Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.
With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.
As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region. The next one is on Thursday 24th November 2016 at its headquarters in Totton. For details click here
As we know, the UK voted to leave the EU on 23rd June 2016.
The UK is required to serve notice under Article 50 of the Lisbon Treaty and this carries a two year notice period.
The General Data Protection Regulation is due to be implemented in less than two years – 25th May 2018. GDPR applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens. Or an organisation which offers goods and services to EU members. It also serves to monitor online behaviour.
Even standing outside the EU, the long arm of GDPR will apply to any UK organisation handling the data of EU citizens. The UK will need to prove ‘adequacy’ for data protection.
Countries globally are preparing now for GPDR.
For full details of the 12 steps your organisation is guided to take to prepare for GPDR, Amicus ITS invites you to read the ICOs PDF white paper “Preparing for the General Data Protection Regulation (GDPR) attached here: ico-preparing-for-the-gdpr-12-steps
I strongly recommend all organisations to be actively researching what they need to do to comply with GDPR, as once released it automatically becomes law in all EU Member states.