Huge fines risk for failing to prevent data breaches

Posted on February 13th, 2017

Companies failing to comply with the EU’s General Data Protection Regulations (GDPR) could face fines of up to 20m euros or four per cent of annual worldwide turnover from next year.

The Regulation comes into effect in 2018 - when the UK will still be part of the EU - and allows considerably greater punishment than the £500,000 ceiling currently imposed for data breaches,

Last year (2016) saw some significant penalties handed down for data breaches with some high-profile organisations admitting to being hacked, including Tesco Bank, Three, Sage and Kiddicare. In 2015 TalkTalk was targeted by hackers.

Understanding where the attacks are likely to come from and where businesses tend to get their protection protocols wrong could be crucial to proving that steps were taken to prevent a data breach if a firm were to find itself facing a significant penalty.

The Chamber has teamed up with patron Economit, an independent and impartial IT consultancy based in Derby, to deliver a series of free business information sessions, the first of which takes place at Seven Restaurant and Café Bar, Pride Park, Derby, at 8am on Tuesday 21 February.

This briefings will cover all of the "need to know" developments and how they will affect an organisation, including the latest on preventing data breaches, insuring against cyber risk and changes to legislation governing sensitive data.

According to Computer Weekly in October last year, quoting a Government 2015 information security breaches survey, “…90% of large organisations and 74% of SMEs reported a security breach leading to an estimated total of £1.4bn in regulatory fines”.

The feature added: “In 2018, the European Union’s General Data Protection Regulation (GDPR) will introduce fines for groups of companies of up to 20m euros or 4% of annual worldwide turnover, whichever is greater – far exceeding the current maximum of £500,000.”

Andy Watterson, the Chamber’s lead on cyber crime, said: “Data breaches and other cyber attacks are not going to diminish. If anything, they will get bigger and more frequent as the hackers get more and more clever and the amount of data gathered by organisations of all sizes increases.

“The Government has already said that all existing EU regulations will be subsumed into UK law when we leave the EU so the punitive elements of the General Data Protection Regulations won’t go away any time soon.

“It is essential organisations can prove they took every precaution possible to protect client data if they need to mitigate a punishment calculated on four per cent of global turnover – that’s turnover, not profit.”

Mike Donoghue, Joint Managing Director at Economit, said: “The first step to being able to defend against a big punishment is to prove that you took steps to understand and prevent the breach, and that’s what the session we’re delivering with the Chamber will attempt to do.

“No organisation is really completely safe, and don’t let anyone tell you otherwise. But for the vast majority of businesses, getting the simple and basic things right will provide more than adequate protection against increasingly clever and resourceful cyber criminals.

“It’s also easier for smaller organisations to provide adequate protection for themselves as they typically have fewer locations storing data and the size of that data is miniscule compared to the like of the Yahoo!’s of this world.

“But the simple truth of the matter is that the majority of businesses don’t provide adequate protection, not even close in fact, and in IT security terms, if you’re not part of the solution then you’re part of the problem.”