UK firms were among the hardest hit in Europe when it came to breach-related regulatory fines last year, as the ICO stepped its enforcement work up considerably, according to new PwC research.
The global consultancy’s analysis revealed that breaches of the Data Protection Act (DPA) resulted in 35 fines totaling £3,245,500.
That’s almost double the 18 fines issued in 2015, at a cost of around £2m, and puts the UK alongside Italy (€3.3m, £2.9m) as having one of the toughest data protection regimes in Europe.
In addition, 23 enforcement notices were issued in 2016, a 155% increase on the nine enacted in 2015. These typically require recipient organizations to take various steps to ensure compliance after a breach.
However, a PwC spokesperson told Infosecurity Magazine that not all European regulators make such data publicly available, while others have yet to release their 2016 figures, so a definitive comparison for the region is not possible.
PwC took the opportunity to warn UK firms that the forthcoming EU General Data Protection Regulation (GDPR) will bring with it even bigger potential fines when it lands on May 25 2018.
“The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organizations must use the remaining time to prepare for GDPR compliance before May next year,” argued PwC’s global cyber security and data protection legal services lead, Stewart Room.
“We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programs beyond just risk reviews and data analysis to delivering real operational change.”
Rob Norris, head of enterprise & cybersecurity EMEIA at Fujitsu, advised organizations to conduct data inventory scans to first discover what they’re storing and where it’s held.
“Once that’s done they need to speak to specialists who can help them create a holistic solution that prioritizes the protection of critical data,” he added.
“On the other hand, this must work in tandem with a culture shift within organisations that prioritizes and creates awareness of protective measures against cyber-crime. Phishing attacks and human error are two of the most common causes of a breach, and the positive thing is organizations do have the power to prevent such instances from happening.”