Earlier in the week we reported that 47 percent of organizations globally have major doubts that they will meet the impending compliance deadline for the General Data Protection Regulations in May 2018. Doing so could see them face fines, but many companies even when acknowledging this still portray no sense of urgency of attempting to comply with GDPR by May 2018. They may do once they appreciate how much the fines could be, thanks to data from the NCC Group that was published this week. The leading information assurance group has compared previous fines issued by the Information Commissioner’s Office to what they would be if the new General Data Protection Regulations were in force. The results are startling.
In 2016, TalkTalk was targeted by hackers who were able to breakthrough their inadequate security measures in what was first thought to be a mass raid in customer data but was subsequently only found to have affected 4% of the company’s four million customers. Because of the hack, TalkTalk lost just over 100,000 customers and suffered total costs of £60 million. The Information Commissioner’s Office fined them £400,000 for their security failings. However, under the new GDPR, TalkTalk’s fine would rocket to £59 million.
In 2015, Pharmacy2U, the UK’s biggest NHS-approved online pharmacy was found to have breached the Data Protection Act by selling the data of more than 20,000 customers without their permission via a marketing company. Records including people suffering from conditions such as erectile dysfunction, asthma and Parkinson’s disease were sold along with breakdowns of customers at a rate of £130 per 1000 records.
At the time, the ICO Deputy Commissioner David Smith said, “It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.”
The fine they received from the Information Commissioner’s Office was £130,000. Under GDPR, this would balloon to £4.4 million, possibly enough to put a business this size out of business.
Roger Rawlinson, managing director of NCC Group’s assurance division, said: “GDPR isn’t just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations. Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.”
Many business may be under the mistaken belief that they will not be subject to the EU’s GDPR. However, as it is implemented in May 2018, they will be as the UK will still be a member then. Organisations should also be aware that if they process any EU citizen’s data then they will have to comply with GDPR even post-Brexit.