What is the GDPR non-compliance penalties?
Cyber Security specialists, NCC Group reported that last year the Information Commissioners Office (ICO) fined UK businesses £880,500 under the Data Protection Act 1998, but if the GDPR had been enforced at that time, these fines would have equated to a whopping £69 million.
The GDPR is now in play and fines are split in to a two-tiered sanction regime. Smaller incidents will be subject to a maximum fine of 2% of the businesses turnover or €10 million – whichever is the larger amount. More severe breaches of the GDPR could be fined up to a 4% of annual €20 million.
In 2016, TalkTalk was fined £400,000 due to the data breach of 157,000 customers personal data as reported by The BBC. The ICO reported that the fine was due to the TV, Broadband and Telecoms giant failing to implement basic cyber security measures making it too easy for the cyber criminals to access the data.
To put this in perspective, if this fine had occurred with the new GDPR set up, Talk Talk would have been fined £59 million for the Security Breach as reported by The Register. Following the breach SC Media reported that TalkTalk lost 250,000 customers and their share in the home services market fell by 4.4%. TalkTalk is now known for being the cheapest fibre broadband providers, a price based strategy thought to be implemented in order to gain back the trust of its customers.
What are the legal accountabilities?
The severity for businesses to adhere to the GDPR doesn’t just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors. Kingsley Napley the internationally recognised law firm reports that this could be the case if the business in question has lost personal data due to weaknesses in the security set up of the business or if data has been stolen from within the business.
Should small businesses ignore the GDPR?
Many small businesses may believe that the GDPR won’t affect them, but that’s not the case, Hiscox the insurance giant reports the GDPR’s regulations state that if a business is involved with the handling and processing of personal data, they still could be subject to fines if this data is lost or stolen.
What does GDPR consider personal data?
- Personal Home Addresses
- Contact Names
- Personal Contact Numbers
- Personal IP Addresses
- Personal Email Addresses
- Racial or Ethnic Origin
- Political Opinions
- Religious Beliefs
- Sexual Life
- Physical or Mental Health information
- Whether the customer is a member of a trade union
- Any criminal offences
What must businesses do in the event of a data breach?
Businesses have the responsibility of reporting any breach to The ICO within 72 hours of the occurrence. As of the 25th of May 2018, if you fail to notify within the time frame ICO state that the 2% of annual turnover penalty may apply.
If you have any concerns about your businesses IT Security setup please get in touch and one of our certified GDPR Consultants will be happy to discuss solutions with you. Our GDPR Consultancy Brochure is also available as a download.