A report by professional services firm PwC, using figures from the UK’s Information Commissioner’s Office (“ICO”), confirmed that the number of fines handed out for breaking UK data protection laws almost doubled last year, making Britain one of the most active regions for regulatory enforcement across Europe. The report found that fines for data protection breaches hit over £3.2m ($4.1m) in 2016, putting the UK on par with Italy, where fines totaled £3.3m ($4.25m), but dramatically below the U.S., where fines and settlements of approximately $250m were served.
The rise in fines in the UK is exponential. In 2016, 35 fines were served for breaking data protection laws in the UK, compared to 18 in 2015 for a total of just over £2m ($2.6m). That already represented a sharp increase from the £1.2m ($1.5m) issued in 2014.
These figures come against the backdrop of Europe gearing up for the implementation of the General Data Protection Regulation (“GDPR”), which comes into force on May 25, 2018, now less than a year away. Under the new regime, non-compliance penalties could lead to fines of up to €20m ($22.5m) or 4 percent of a company’s global annual revenues. This represents a drastic increase against the current position whereby the ICO can currently issue fines of only up to £500,000 ($650,000). The new powers under the GDPR will put organizations that have not taken steps to comply with the GDPR under great compliance pressure, and it is important that they use the coming months to prepare.
It is imperative that ahead of new regulations coming into force next year businesses prioritize security and privacy. Another recent PwC survey found that 90 percent of CEOs globally believe that breaches of data privacy and ethics have a negative impact on stakeholder trust. Many take the view that organizations that are ahead of the curve and implement the requirements of the GDPR in good time will increase their brand reputation, maximize stakeholder trust and, by doing so, get ahead of their competitors.