Jessica Fino 27 Jun 2017 04:51pm

Firms face fines for failing to comply with GDPR

Hundreds of thousands of UK businesses are at risk of being fined for failing to adhere to the forthcoming EU General Data Protection (GDPR) regulation coming next May, new research has found

The law firm Hamlins and, the first GDPR job board, warned seven out of 10 businesses have not allocated any budget to facilitate compliance with the upcoming regulation.

The research warned that businesses could face potential fines up to 4% of a firm’s global annual turnover by not complying with GDPR.

However, 53% of businesses have not appointed a data protection officer and more than a third of open answers amongst those surveyed revealed they are not preparing themselves for the new regulations.

The main reasons for the lack of preparation were believing Brexit would prevent businesses from having to comply (15%), not having the funds to comply (12%), considering there to be a business risk (11%) or not wanting to get caught up in red tape (10%).

Matthew Pryke, a partner at Hamlins, said, “Despite awareness about the GDPR, too many businesses are complacent and think because of their size or nature of business they are somehow exempt from having to comply.

“Regardless of Brexit, this regulation – even with the words EU fronting the name - will still apply for all businesses operating in the UK.

“Those who leave it to chance and don’t prepare now, could be left high and dry if the Information Commissioners Office find businesses breach regulations.”

Earlier this month, PwC found that the number of fines imposed on firms for breaching data protection laws almost doubled in 2016 to £3.24m.

After analysing data from the UK Information Commissioner’s Office (ICO), PwC found that 23 enforcement notices were issued in 2016, a 155% increase on the nine notices issued in 2015.

It also warned at the time that UK organisations risk even larger fines if they fail to ensure compliance with the GDPR rules.

GDPR, which aims to help people gain more control over their personal data, has undergone numerous revisions since the European Commission (EC) first proposed a single, harmonised privacy law for the EU in January 2012.

The five requirements of GDPR are ensuring that all customers know and consent to you having their data; reporting any data breaches within a three-day window; putting in place processes to delete data on an individual when they request that you do so; safeguarding the right to data portability and keeping accurate records of all transactions associated with any given customer.

Phil Beckett, an MD with Alvarez & Marsal’s global forensic and dispute services practice in London, wrote for economia last year about the upcoming regulation, saying this single law could help to generate cost savings for businesses of around €2.3bn (£1.9bn) a year.

Beckett explained that penalties for failing to comply with GDPR range from enforced data protection audits by the Information Commissioner’s Office until satisfied that levels of compliance are adequate, to fines of €20m or 4% of a company’s total worldwide annual turnover, whichever is greater.

Richard Anning, head of the IT Faculty at ICAEW, has said there are a number of misconceptions about the regulation.

“First is that GDPR does not apply to small business, and second that it will no longer happen due to Brexit. Both are incorrect; GDPR applies to personal data regardless of the size of the organisation, and the regulation comes into law while the UK is still a member of the EU (and equivalence should follow).”