This article is more than 1 year old
Info commish: One year to go and businesses still not ready for GDPR
Thought £400k TalkTalk fine was big? Try €20m
Companies are unprepared for the General Data Protection Regulation (GDPR) coming into force a year today, and some small businesses "might not even know" a new regime is looming, the UK Information Commissioner Elizabeth Denham has warned.
Speaking at an event by WSJ Pro Cybersecurity titled How Executives Can Manage the Risks in London, Denham said: "I don't think all companies are ready for GDPR. That said, changes in the law is evolution, not revolution."
So far the the maximum fine handed to organisations under the Data Protection Act by the ICO is £400,000. Two companies have received the record penalty – Keurboom Communications and TalkTalk.
Under GDPR, the fines for a data breach will either be €20m (£17m) or 4 per cent of global annual revenue, whichever is highest.
Denham said such penalties "will make a difference" in ensuring some companies get their houses in order, but added that other powers under GDPR will also help.
"We will have the power of audit, and to look at accountability and data governance. It's not just about going in and investigating data security incidents... we will also expect companies to have a full [data protection] regime in place."
Denham noted that the TalkTalk incident, in which the personal data of 156,959 customers was accessed, was "entirely preventable."
The vulnerabilities were inherited by TalkTalk when it acquired Tiscali in 2009. "The database from Tiscali wasn't even needed anymore. There was nothing in that database TalkTalk was using," said Denham.
She said companies should treat the TalkTalk incident as a cautionary tale.
"Senior staff, heads of companies and the C-suite have to walk the talk. You can't put pressure on frontline staff to do training, without realising you may need to do training yourself. Everybody needs training and it is a concern across entire organisations."
Just 26 per cent of companies believe their businesses are unprepared for the GDPR regulation, but only two-thirds say they will be compliant in time for the deadline, according to a survey by the Direct Marketing Association in February. ®