Data protection is a prominent topic in IT circles at the moment, as recent statistics from PwC can attest.
Last year 91 enforcement actions for breaches of current data protection laws were taken by the Information Commissioner’s Office (ICO) in the UK alone, with 54 monetary policies issued to UK organisations to reach the grand sum of £4,207,500.
This is a significant amount not only because of its sheer size but also because of the fact it represents an increase of nearly a million pounds over the previous year.
And now with GDPR – the biggest change to data protection law for more than 20 years – literally hours away, one can only imagine what 2018 will hold with the threat of significantly larger fines.
PwC analysed the UK ICO data protection enforcement actions over the past four years as part of its global Privacy & Security Enforcement Tracker to determine monetary penalties, enforcement notices, prosecutions and undertaking.
“Our analysis found that almost half of last year’s UK data protection enforcement actions were due to marketing infringements, but security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure,” says PwC lead partner for GDPR and data protection Stewart Room.
“These are key areas for organisations to be mindful of as we move into this new era for data protection.”
Currently, the ICO can issue monetary penalties of up to £500,000 and in 2017 just 14 of the 54 fines issued were of more than £100,000. It’s certainly not a small fine, but it looks tiny when compared to the ammunition GDPR will bring where fines for failing to comply can be up to four percent of global turnover or €20 million, whatever is higher.
“The ICO has made it clear, however, that the GDPR is not about the increased fines and the maximum certainly won’t be the norm,” says Room.
“It’s really about putting consumer rights at the heart of today’s data-centred world. There’s an option for organisations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust.”
Room says GDPR’s imminent arrival has seen broad changes globally, which is encouraging.
“At Board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success,” says Room.
“Findings from our GDPR Readiness Assessments, which we’ve run with over 220 clients globally over the last two years, show that, in general, highly regulated sectors such as healthcare and financial services, which are used to dealing with regulatory change, tend to have a slight margin over others in terms of preparedness.”
However, despite these Room’s positive sentiments PwC believes that despite the two years of preparation time, many organisations still won’t be fully compliant due to its sheer complexity and the widespread business process changes often required.
If that’s the case, bring on the fines.