Thirty-five fines totalling £3,245,500 were handed out for breaches of UK data protection law – nearly double the total in 2015.
In what should be of real concern to those companies still unprepared for the impending GDPR, there was a staggering 155% increase in the number of data protection enforcement actions issued in 2016.
In 2015 just nine notices were issued, compared to the 23 enforcement notices issued last year. What makes this huge increase even more surprising is the fact that 2016 was the year that organisations were required to take steps to ensure compliance after a data breach, as well as it being the first year in the journey to GDPR compliance.
According to PwC analysis of ICO data protection enforcement actions, the UK was one of the most active regions for regulatory enforcement action in Europe last year, along with Italy (€3.3m). However, the low level financial penalties seen in Europe sits in stark contrast to the US where fines of approximately $250m were served.
“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” said Stewart Room, PwC’s global cyber security and data protection legal services leader.
PwC’s recent CEO Survey found that 90% of CEOs around the world believe breaches of data privacy and ethics will have a negative impact on stakeholder trust, so the time to put this top of the agenda is now before GDPR becomes law from 25 May 2018. From then on, a variety of new compliance obligations will be imposed, including new rules about breach disclosure, data portability, and data use consent. Organisations that fail to comply could face penalties of up to 4% of global turnover or €20m depending on which is higher.
“We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change,” said Mr Room.
“It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?”