Technology / UK firms could face £122 billion in fines under new EU data protection rules

UK firms could face £122 billion in fines under new EU data protection rules

UK firms could face £122 billion in cyber security fines in 2018 under new EU data protection rules, according to new research.

A report from the PCI Security Standards Council (PCI SSC) found that businesses face billions in fines if they do not improve their cyber security.

Government figures show that in 2015, 90 per cent of large firms and 74 per cent of SMEs suffered security breaches, leading to £1.4 billion in regulatory fines.

However, under the European Union's new General Data Protection Regulation (GDPR), which comes into full force in 2018, companies can face fines of up to €20 million (£18 million) or four per cent of their global turnover - whichever is greater.

If breaches remain at 2015 levels, this could mean a 90-fold increase in the total amount businesses are fined, taking the figure up to £122 billion.

The PCI SSC estimates that the average large organisation could face fines of £11 million, which the average small firm could have to pay out £13,000.

These figures are in addition to losses incurred relating to cyber breaches themselves, as well as damage relating to reputation and business disruption.

“The new EU legislation will be an absolute game-changer for both large organisations and SMEs,” said Jeremy King, international director at the PCI SSC. “The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.

“Companies both large and small need to act now and start putting in place robust standards and procedures to counter the cyber security threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand.”

Speaking at R3 2016, Mark Taylor, a partner at Osborne Clarke, explained how the GDPR will “radically” change breach notification rules for UK businesses.

“The good news is you’ve still got 18 months to work out how to do it,” he said.



Get our latest features in your inbox

Join our community of business leaders