Companies and organisations have a responsibility to keep data safe and secure in accordance with the Data Protection Act (DPA). Should they fail to do so, the U.K.’s privacy watchdog, the Information Commissioner’s Office (ICO), can impose penalties accordingly.
Breaches are growing. We cover this concept a lot, because there appears to be no stopping the growth of leaks, hacks, and breaches. New research has shown data breaches have doubled on the previous year. It just seems to be getting worse and worse…
The DPA was enacted to protect an individual’s data. Such individuals are known as a “data subject”. This is achieved by placing responsibilities on companies and organisations; known as the “data controllers”. A data controller can be an individual so long as they’re processing data.
Penalties
If companies and organisations are processing data, they must ensure that it complies with the DPA. If they fail to do so, the ICO can impose enforcement actions which could include prosecution and monetary penalties.
The ICO has a general duty to investigate complaints from members of the public who believe that a company or organisation has failed to deal with data correctly.
TalkTalk data breach
The maximum penalty the ICO can impose is £500,000; an amount often reserved for the most serious breaches of data protection principles. In October 2016, the ICO issued a record fine of 400,000 to telecommunications company TalkTalk. In this case, they found that TalkTalk could’ve prevented the October 2015 cyberattack if they had been better prepared. The cyberattacker managed to access 156,959 customer details, and in 15,656 cases, banking details were accessed.
PwC research
New PwC research revealed that U.K. firms were hit with breach-related regulatory fines that have been amongst the highest in Europe. This could be seen as a more stringent approach to companies and organisations’ lax attitude to cybersecurity in the U.K. when compared to our continental neighbours. On the other hand, it could indicate we’re falling short when it comes to proper data protection.
PwC research showed there were 35 U.K. data breaches in 2016 which totalled £3,245,500. This is almost double from the year before, where there were 18 data breaches amounting to £2,031,250.
So, do the above statistics show the U.K. are more stringent on protecting data? Or does it show we’re not as well prepared as others?
Either way, the growing trends of data breaches remains a significant concern.
EU GDPR
If you thought those fines were big, wait until you see what happens with the introduction of the EU General Data Protection Regulations (GDPR). The GDPR is set to be enforced on 25th May 2018 where, in a nutshell, companies and organisations will face larger fines if they don’t comply with the law.
Under the new regulations, companies and organisations could be fined up to 4% of their annual global turnover, or £16.9 million; whichever is the largest amount. The fines can be imposed regardless of what type of breach has happened; whether it’s a cyberattack or human error, which are two of the most common breaches.
The silver-lining of this is that companies and organisations have the power to prevent or at least be readily prepared for these breaches. They just have to sort it out and make sure they do!
The shifting focus on protecting data
The introduction of the GDPR shows a sharp focus on the attention of protecting data. Matt Hancock, culture and digital minister, reiterates this by stating:
“The upcoming GDPR will be key to ensuring strong organisational data protection regimes supported by strong cybersecurity.”