In June a Berkshire based company, Boomerang Video Limited, was fined £60,000 by the Information Commissioner’s Office for failing to take basic steps to protect its website from a cyber attack that allowed details of over 26,000 customers to be accessed. The ICO enforcement manager issued a statement:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you. If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
GDPR comes into force on 25th May 2018. It makes radical changes to the data protection regime, which has been largely unchanged since the first Data Protection Act in 1984. Businesses must, to quote from the GDPR, “implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with” the regulations. The Information Commissioner will be able to require businesses to produce evidence of their data protection systems and to demonstrate the steps that they have taken to comply.
There are many more detailed changes that will be brought into force by GDPR and, despite it being EU legislation there is currently no prospect of it being delayed or over-turned as a result of Brexit. The Government has announced a new Data Protection Bill to be introduced in Parliament in the autumn to import GDPR into English law. Compliance is not optional. The ICO currently has the power to fine businesses for breach of data protection legislation to a maximum of £500,000. Under the GDPR, the penalties will increase to a maximum of the higher of €20 million and 4% of turnover.