Much has been written about the financial impact the General Data Protection Regulation (GDPR) will have when it comes into action in May 2018. What most articles don’t mention is how regularly the infractions are being made today that the GDPR heavily penalizes, and what that could mean for companies if adjustments and corrections are not made in time. For example, a £400k fine that was handed to a large UK telco company would balloon to £59m under the GDPR, which is 147.5 times the original amount!
GDPR: A Global Issue
In this blog, I share examples of how rule breaches are occurring within the UK right now. However, if you think this is just a European issue, be warned that the same rules apply to all companies worldwide doing business with any company in the European Union. In today’s connected world, that is the vast majority.
The Information Commissioner’s Office (ICO), the organization that will be responsible for monitoring GDPR and non-compliance in the UK, issued 59 fines worth a total of £3.3m over the past 12 months based on the Data Protection Act 1998. Once the GDPR comes into force, the scope of the work by the ICO, as well as the fines they hand out, will increase dramatically.
How are Companies Breaking Future GDPR Rules Today?
The analysis of ICO fines below is taken from publicly available ICO enforcement notices data.
|Area of Enforcement||# Fines||Total Value £||Average £|
|1.Nuisance calls and text spamming||22||£1.95m||£42,900|
|2.Invalid registration for data||3||£1,319||£440|
|3.No protection from a cyber-attack||3||£500,00||£167,000|
|4.Accessing data without a business need||10||£4,681||£468|
|5.Obtaining and selling personal data||3||£2,670||£890|
|6.Non-compliance with rules||12||£137,250||£11,438|
|7.Not keeping data safe(other than cyber-attack)||6||£685,000||£114,000|
What This Means for You
The fines assessed by the ICO relative to the Data Protection Act 1998 provide a good indication of where the office will be headed in its enforcement of the GDPR. The ICO regulators themselves are gearing up for the GDPR and have publicly stated they will be watching those firms who have previously been fined, as well as those firms who carry out similar activities in the future.
Today, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once the GDPR comes into force on May 25, 2018, there will be a two-tiered sanction system with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or two percent of an organization's global turnover (whichever is greater). Use this information to better focus your attention to the GDPR areas of most risk for your organization.
Where the Mistakes are Made
The area of biggest fines stems from firms having their data stolen during a cyber-attack due to a lack of adequate security, and there are few excuses for not protecting your data in 2017. Beyond being ill-prepared for hacking attempts, other organizations’ data safety infractions even included physical recklessness such as the loss of CDs sent in the post.
However, the area of greatest concern, and the area which is likely to grow most when GDPR goes into effect, is non-compliance with the rules. This means that organizations are doing things with data that they should not. The huge fines threatened by GDPR will force every company to be fully transparent about what processes they are performing with all their data.
Your Next Steps
To prepare for the GDPR at your organization, we recommend you start by validating your vulnerabilities against the Data Protection Act 1998 fines shared above. It will focus your efforts on why you are doing the work.
To learn more about the GDPR and how WhereScape automation can help you prepare and fast track your organization’s compliance, read this WhereScape automation for GDPR white paper now.