evievee09 - Fotolia

UK issues record data protection fines in the past year

The UK was one of the most active regions for regulatory enforcement action in Europe last year in terms of fines and enforcement notices issued over data protection

Monetary penalties issued for breaching UK data protection laws totalled a record £3.2m relating to 35 incidents in 2016, a report by PricewaterhouseCoopers (PwC) has revealed.

This is up almost 60% compared with the previous year and 33% more than the previous annual record for data protection fines of £2.4m set in 2012.

The number of serious breaches of the UK Data Protection Act attracting fines almost doubled from just 18 in 2015.

However, UK organisations risk even larger fines if they fail to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.

Under the current law, the Information Commissioner’s Office is empowered to issue penalties up to a maximum of £500,000, but under the GDPR this will increase to £17.5m (€20m) or 4% of global annual turnover, whichever is greater.

To date, the largest penalty issued by the ICO is £400,000 to telecoms operator TalkTalk for the cyber attack in 2015 that exposed the personal details of more than 150,000 customers.

PwC analysed the ICO’s protection enforcement actions over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings.

The report said 23 enforcement notices were issued in 2016 – when organisations are required to take steps to ensure compliance after a data breach. This was an increase of 155% from 2015.

Despite the attention to data protection in Europe in the run-up to the deadline for compliance with the GDPR, the report revealed that Europe has seen relatively few regulatory enforcement actions and a relatively low level of fines compared with the US, where fines for 2016 totalled $250m (£194m).

PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust.

Read more about the GDPR

Therefore, said PwC, now is the time for organisations to put data protection at the top of the agenda before the GDPR compliance deadline in a year’s time.

From 25 May 2018, organisations will have to comply with a variety of new obligations, including new rules about breach disclosure, data portability, and data use consent.

Stewart Room, PwC’s global cyber security and data protection legal services leader, said UK organisations must use the remaining time to prepare for GDPR compliance.

“We have performed more than 150 GDPR readiness assessments with our clients around the world,” he said. “Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change.

“It is impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention.”

According to Room, the GDPR is essentially a code for good business, where privacy by design becomes part of everyday operations.

In April 2017, he revealed that PwC data that provides global insight into the issue showed that organisations were failing to address the most important risks because they do not have a structured approach to complying with the GDPR.

“The overriding impression is that entities are tackling the GDPR without vision for their desired end state,” Room told a Westminster eForum event in London.

Read more on Privacy and data protection