Fines from the Information Commissioner's Office (ICO) against Brit companies last year would have been £69m rather than £880,500 if the pending General Data Protection Regulation (GDPR) had been applied, according to analysis by NCC Group.
The 2015 penalties would also have risen drastically from £1m to £35m under the same benchmark.
As things stand, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into force on 25 May, 2018, there will be a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation's global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).
NCC's security consultants looked at all ICO fines from 2015 and 2016. Using the current maximum penalty as a guide, it created a model to determine what tier the fine would fall into and what a maximum post-GDPR fine would likely be.
TalkTalk's 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR. Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U's fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.
Roger Rawlinson, managing director of NCC Group's assurance division, said: "GDPR isn't just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.
"Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board."
Although the UK is leaving the European Union, compliance with the GDPR will still be mandatory for British firms that handle EU citizens' data. The ICO has publicly said it plans to introduce something similar to the GDPR post-Brexit, so proceeding on the assumption that the UK will not introduce tougher fines for data breaches is unrealistic. ®