Companies in Europe and those in the rest of the world who process data of subjects of the European Union should be aware of the impact fines could have on them if they do not comply with the new European Union General Data Data Regulations. Across Europe and many other countries across the globe, the fines that can be levied under GDPR far outweigh those that can be levied in each respective county.
In the UK for example, as things stand, the Information Commissioners’ Office (ICO) who are in charge of implementing and overseeing the new European Union General Data Protection Regulations can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into effect however on May 25 2018, there will be a two-tiered sanction regime:
- Lesser sanctions will be subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater).
- More serious violations of GDPR could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).
In an interesting study by NCC Group, global experts in cyber security and risk mitigation, they looked at some recent fines issued by the ICO and assessed what the would be under the new European Union General Data Protection Regulations. The results were shocking.
For example, the fine that was given to TalkTalk in 2016 of £400,000 for security flaws that led to hackers accessing customer data would be a huge £59 million under GDPR. Pharmacy2U, a much smaller business than TalkTalk was hit with a fine of £130,000 in 2016, but under GDPR this would skyrocket to £4.4 million, a significant amount of its revenues and realistically enough to put it out of business. It is therefore crucial, that all businesses, large and small engage with GDPR and its requirements sooner rather than later.
Roger Rawlinson, managing director of NCC Group’s assurance division, said: “GDPR isn’t just about financial penalties, but this analysis is a reminder that there will be significant commercial impacts for organisations that fall foul of the regulations.
“Businesses should have already started preparations for GDPR by now. Most organisations will have to fundamentally change the way they organise, manage and protect data. A shift of this size will need buy-in from the board.”