Breaches of UK data protection laws during 2016 attracted thirty-five fines totalling £3,245,500 – almost double the 2015 total (18). Now with just under a year to go until the biggest change in privacy laws for over 20 years, UK organisations risk even larger fines if they fail to ensure compliance with the General Data Protection Regulation (GDPR).
PwC analysed the UK Information Commissioner’s Office (ICO) data protection enforcement actions over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings. The analysis for 2016 found that that 23 enforcement notices were issued in 2016 – when organisations are required to take steps to ensure compliance after a data breach – a 155% increase on the nine notices issued in 2015.
The UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3m). But whereas the European pattern has seen comparatively low volumes of regulatory enforcement actions, with low level financial penalties, this is in stark contrast to the US where fines of approximately $250m were served.
PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is now before GDPR becomes law from 25 May 2018 across the EU. From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability, and data use consent. Organisations that fail to comply could face penalties of up to 4% of global turnover or €20m depending on which is higher.
Stewart Room, PwC’s global cyber security and data protection legal services leader, commented:
“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year.
“We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change.
“It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”
Figure 1 – Monetary Penalty Notices issued by the ICO: 2011-2016
Figure 2 – Privacy Enforcement in the UK: Analysis of ICO statistics, 2012-2016