New EU regulations governing the way UK companies handle their customers’ personal information come into force next year. These new rules have critical implications for all businesses, as they create strict guidelines for the processing of personal data and carry the risk of hefty fines for failure to comply with the regulations.
The General Data Protection Regulations, taking effect in May 2018, will replace the UK’s existing UK Data Protection Act 1998. Probably the most striking feature of these Regulations is the new set of punitive measures that the Information Commissioner’s Office is able to hand down.
Going forward, for the more serious offences, a company may be liable to a fine of up to 4% of its annual global turnover. To put this into perspective, TalkTalk, a £1.8bn revenue business, could have potentially faced a £72m punishment, an astronomical hike above the £400,000 penalty it received in 2014 for its data breach.
Although the penalties are severe, there some simple steps that companies can take to make sure they don’t fall foul of the authorities in the event of a cyber attack. One of the most stringent requirements is for businesses to be able to demonstrate that they take all reasonable steps to protect the personal data they hold and have all the necessary safeguards in place to minimise the risk. It is also vital to show that you reported the breach within 72 hours of the event.
Government figures suggest that in the past year some 46% of British businesses discovered at least one cyber security breach or attack over the course of the past 12 months, yet at the same time only one-third of companies has a formal policy that covers cyber security risks. Given these statistics, it is vital that UK businesses take the time to ensure they have in place a robust set of checks and balances to ensure they can respond to the ICO with confidence in the event of a security breach.