Written by Rob Young, Group Managing Director – 04th August 2017
With General Data Protection Regulation (GDPR) quickly creeping up on the UK, it’s becoming increasingly evident that most businesses either don’t understand what it takes to be GDPR compliant or aren’t aware of the repercussions if found to be non-compliant.
Download our useful GDPR checklist
Interested to know what your business needs to do before May 2018 in order to be GDPR compliant? One of our certified GDPR consultants has put together 34 questions that you need to consider in order to be compliant.
GDPR non-compliance penalty?
Cyber Security specialists, NCC Group reported that last year the Information Commissioners Office (ICO) fined UK businesses £880,500 under the Data Protection Act 1998, but if the GDPR had been enforced at that time, these fines would have equated to a whopping £69 million.
The GDPR comes in to force in just over 9 months’ time. Fines will be split in to a two-tiered sanction regime. It’s been reported that smaller incidents will be subject to a maximum fine of 2% of the businesses turnover or €10 million – whichever is the larger amount. More severe breaches of the GDPR could be fined up to a 4% of annual €20 million.
In 2016, TalkTalk was fined £400,000 due to the data breach of 157,000 customers personal data as reported by The BBC. The ICO reported that the fine was due to the TV, Broadband and Telecoms giant failing to implement basic cyber security measures making it too easy for the cyber criminals to access the data.
To put this in perspective, if this fine had occurred with the new GDPR set up, Talk Talk would have been fined £59 million for the Security Breach as reported by The Register. Following the breach SC Media reported that TalkTalk lost 250,000 customers and their share in the home services market fell by 4.4%. TalkTalk is now known for being the cheapest fibre broadband providers, a price based strategy thought to be implemented in order to gain back the trust of its customers.
The severity for businesses to adhere to the GDPR doesn’t just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors. Kingsley Napley the internationally recognised law firm reports that this could be the case if the business in question has lost personal data due to weaknesses in the security set up of the business or if data has been stolen from within the business.
Should small businesses ignore the GDPR?
Many small businesses may believe that the GDPR won’t affect them, but that’s not the case, Hiscox the insurance giant reports the GDPR’s regulations state that if a business is involved with the handling and processing of personal data, they still could be subject to fines if this data is lost or stolen.
What does GDPR consider personal data?
- Personal Home Addresses
- Contact Names
- Personal Contact Numbers
- Personal IP Addresses
- Personal Email Addresses
- Racial or Ethnic Origin
- Political Opinions
- Religious Beliefs
- Sexual Life
- Physical or Mental Health information
- Whether the customer is a member of a trade union
- Any criminal offences
What must businesses do in the event of a data breach?
Businesses have the responsibility of reporting any breach to The ICO within 72 hours of the occurrence. As of the 25th of May 2018, if you fail to notify within the time frame ICO state that the 2% of annual turnover penalty may apply.
If you found this blog interesting, you also may want to look at our other GDPR related blogs ‘7 steps to kick start GDPR Compliance’, The GDPR – what it means for UK businesses, GDPR and the role of a Data Protection Officer, New EU General Data Protection Regulation (GDPR)
If you have any concerns about your businesses IT Security setup please get in touch and one of our certified GDPR consultants will be happy to discuss solutions with you. Our GDPR Consultancy Brochure is also available as a download.