ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes