Research carried out by law firm RPC has suggested that the average data protection fine levied by the Information Commissioner’s Office (ICO) has risen by 14% in the year since the introduction of the General Data Protection Regulation (GDPR).
The GDPR came into effect on 25 May 2018, placing additional obligations on businesses in regard to the safeguarding of personal data.
According to RPC, the average fine has increased from £125,000 in 2017/18 to £143,000 in 2018/19. The law firm also suggested that, since the introduction of the GDPR, the ICO ‘is becoming more willing to levy bigger fines’.
‘The ICO has already begun to ratchet up the value of fines, and it has barely scratched the surface of its powers,’ said Richard Breavington, Partner at RPC.
‘However, we don’t expect to see blockbuster €20 million fines being levied in the near future. So far, the regulator has only started to hit businesses with the £500,000 maximum fine for breaches under the old Data Protection Act.’
Following the publication of the government’s 2019 Cyber Security Breaches Survey, business leaders are being urged to ‘do more’ to protect their firms from cyber-attacks and cybercrime.
The survey showed that 32% of businesses reported experiencing a cyber security breach or attack in the last 12 months. This represents a reduction when compared to last year’s figure of 43%. The reduction has been attributed to the implementation of stringent new data laws, which form the General Data Protection Regulation (GDPR).
The survey also revealed that the average number of security breaches has risen from four in 2018 to six in 2019.
Where a breach resulted in a loss of data or assets, the average cost was £4,180. The most common attacks came via phishing emails, viruses or other malware, including ransomware. Instances of criminals impersonating organisations online were also rife.
Commenting on the survey, Margot James, Minister of State for the Department for Digital, Culture, Media and Sport, said: ‘Following the introduction of new data protection laws in the UK, it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before. However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.’
Business and charity leaders are being encouraged to follow the ‘ten steps to cyber security’ guidance, which can be found on the National Cyber Security Centre (NCSC) website.
A survey carried out by data provider Dun & Bradstreet has suggested that small firms’ plans for growth are being adversely affected by late payments and restricted access to finance.
Overdue payments ‘remain a prevalent challenge’ for many businesses, the survey revealed. The average amount owed to small and medium-sized enterprises (SMEs) currently totals £80,000 – a significant increase from last year’s figure of £64,000.
The survey also outlined other factors that have hindered SMEs’ ability to grow, including restricted access to appropriate finance; managing General Data Protection Regulation (GDPR) compliance; adopting new technology; and sourcing the right talent for their business.
The uncertainty surrounding Brexit has also negatively affected firms: 40% reported that Brexit has ‘significantly slowed’ their growth. An additional 64% of survey respondents stated that Brexit will be the deciding factor in determining the success of their business.
Commenting on the findings, Tim Vine, Head of European Trade Credit at Dun & Bradstreet, said: ‘There’s no doubt the months ahead will continue to be challenging as we move towards the Brexit deadline. Small business leaders are having to contend with scenario planning on top of dealing with day-to-day priorities such as cashflow management, late payments and securing finance for future growth.’
Research carried out by commercial law firm EMW has revealed that the number of data breach complaints made to the Information Commissioner’s Office (ICO) has risen by 160% since the introduction of the General Data Protection Regulation (GDPR).
The GDPR came into effect on 25 May 2018, and UK businesses were required to be compliant by this time. Under the Regulation, businesses that deal with individuals living in an EU member state must protect the personal information belonging to those individuals, and must have verified proof of such protection.
EMW’s research revealed that, between 25 May 2018 and 3 July 2018, 6,281 data protection complaints were made to the ICO. This represents a rise of 160% when compared to the same period in 2017, when 2,417 complaints were made.
According to the law firm, ‘increasing numbers’ of consumers are making complaints in regard to data breaches. EMW also suggested that a ‘heightened awareness of individuals’ new data rights’ now exists, partly due to ‘greater media publicity’ given to the GDPR, alongside considerable government advertising.
‘A huge increase in complaints is very worrying for many businesses, considering the scale of the fines that can now be imposed,’ said James Geary, Principal of EMW’s Commercial Contracts team.
‘The more data a business has, the harder it is to respond quickly and in the correct, compliant manner.’
28% of businesses are unsure about their compliance with the General Data Protection Regulation (GDPR), according to a survey carried out by Infosecurity Europe.
The GDPR came into effect on 25 May 2018, and organisations were required to be fully compliant with the new regulation by this time.
Under the GDPR, all organisations that deal with individuals living in an EU member state must protect the personal information belonging to those individuals, and must have verified proof of such protection.
The GDPR places significant emphasis on transparency and accountability, and requires businesses of all sizes to be responsible for safeguarding the collection, storage and usage of personal data.
A handful of survey respondents revealed that they were not confident that they would pass a GDPR audit.
Businesses were also asked if they could identify where personal data is stored on their systems. More than half stated that they would require an additional three months to organise their systems in order to successfully identify where personal data is kept.
Commenting on the findings, Terry Ray, Chief Technology Officer at cyber security firm Imperva, said: ‘The deadline has now come and gone, and yet the study shows that many organisations aren’t sure they have achieved GDPR compliance.
‘Any company that put GDPR off until the last minute now realises compliance cannot be achieved overnight.’
As a result of the introduction of the General Data Protection Regulation (GDPR) last month, cybersecurity firm CrowdStrike has warned that businesses may be lured into paying cyber ransom demands to criminals, rather than pay costly GDPR fines.
Ransomware is a form of malicious software that threatens to publish confidential data, or locks your files until a cyber ransom is paid.
Fines for non-compliance with the GDPR cost up to €20 million, or up to 4% of global turnover, whichever is higher. The GDPR fines have allowed criminals to increase ransom demands, while keeping ransom fees lower than the GDPR penalties.
George Kurtz, Chief Executive of CrowdStrike, stated: ‘If [you have] a 4% fine on your overall top-line revenue, or you have a ransomware that you can pay off and maybe quietly make it go away, I think there’s going to be an interesting dynamic in the amount that the market values paying off enterprise ransomware.’
Many consumers have recently been bombarded with what Security Boulevard, a security bloggers’ network, calls a ‘barrage of new terms and conditions’ from businesses, which are designed to gather and record individuals’ consent in regard to firms’ marketing emails and other communications. Criminals have been taking advantage of the sending of such emails to carry out scams by ‘catching internet users off guard’, according to a report published by Security Boulevard.
If a business finds itself victim of a ransomware attack, business owners should contact the National Cyber Security Centre (NCSC), which provides crisis support to affected firms.
With less than one month until the introduction of the new General Data Protection Regulation (GDPR), the Federation of Small Businesses (FSB) has warned small and medium-sized enterprises (SMEs) that time is running out for them to prepare.
The business group stated that small businesses face an ‘uphill challenge’ in ensuring that they are compliant by 25 May 2018 – the date from which the new regulation takes effect.
Under the new rules, organisations which collect, store and process individuals’ personal data will be subject to new obligations, with an increased emphasis on accountability and transparency.
The financial penalties for failing to comply are severe, with fines costing up to €20 million or up to 4% of total annual worldwide revenue, whichever is the greater.
The FSB has called on the Information Commissioner’s Office (ICO), the regulatory body that will monitor firms’ compliance, to adopt an ‘understanding approach’ to GDPR enforcement.
‘As the GDPR deadline swiftly approaches, there is a real danger that many small businesses are yet to have adequately prepared for the changes,’ said Mike Cherry, National Chairman of the FSB.
‘Fortunately for these businesses, there is still time on the clock to start, or finish, their preparations.
‘The GDPR is the largest shake-up of data protection laws for years, and whether you are a personal trainer or a consultant, most businesses will have to implement changes to their current practices to make sure they are complying with the new rules.’
Further information on the GDPR can be found on the ICO website.