Last updated: 12.07.17

UK businesses 'racking up increasing number of data privacy fines'

Data privacy has become an increasingly important compliance issue for digital businesses, but many companies across the UK are still not meeting their legal requirements - potentially putting themselves at risk of punitive action.

This trend was highlighted in a recent report from PwC, which has indicated that the number of breaches of UK data protection laws increased considerably in 2016, resulting in substantial fines.

The professional services company analysed UK Information Commissioner's Office (ICO) data on protection enforcement actions over the past five years, specifically looking at monetary penalties, enforcement notices, prosecutions and legal undertakings. It was found that data privacy issues led to 35 fines being handed out, coming to £3,245,500 - almost double the 2015 total of 18 such penalties.

Moreover, 23 enforcement notices - which compel organisations to take steps to ensure compliance after a data breach - were issued in 2016. This marks a 155 per cent increase on 2015, when only nine notices were recorded.

It means that the UK, alongside Italy, was one of the most active regions for regulatory enforcement action in Europe last year, with the upward trend suggesting that organisations need to improve their awareness of an increasingly business-critical issue.

Indeed, it's noteworthy that the incidents are occurring despite a recent CEO survey by PwC indicating that 90 per cent of chief executives around the world understand that breaches of data privacy and ethics have a negative impact on stakeholder trust. Moreover, the fact that the new EU General Data Protection Regulation (GDPR) is about to come into force is set to put this issue even higher on the agenda in the near future.

When GDPR takes effect on May 25th 2018, new regulations about breach disclosure, data portability and usage consent will all be implemented, meaning organisations could face penalties of up to four per cent of their global turnover, or €20 million (£17.59 million) - depending on which is higher.

The GDPR represents the biggest change in privacy laws for more than 20 years, and the British government has confirmed that the country's planned exit from the EU will not affect its introduction, so it is essential that businesses take the necessary steps to ensure their compliance with the new data protection legislation at the earliest possible opportunity.

Stewart Room, PwC's global cyber security and data protection legal services leader, said: "We've performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change.

"It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention; after all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?"

Related resources