Jessica Fino 1 Jun 2017 05:23pm

UK data protection law breaches cost firms £3.2m

The number of fines imposed on firms for breaching such laws almost doubled in 2016, according to PwC

The Big Four firm said there were 35 fines related to data protection breaches in the UK last year, compared to 18 in 2015. These fines totalled £3.24m.

It added that UK organisations risk even larger fines if they fail to ensure compliance with the General Data Protection Regulation (GDPR) rules, which are coming into force next year.

After analysing data from the UK Information Commissioner’s Office (ICO), PwC found that 23 enforcement notices were issued in 2016, a 155% increase on the nine notices issued in 2015.

Enforcement notices are issued when organisations are required to take steps to ensure compliance after a data breach.

Stewart Room, PwC’s global cyber security and data protection legal services leader, said, “The ICO can currently issue fines up to £500,000, but with this set to increase to up to 4% of global turnover under the new regulation, UK organisations must use the remaining time to prepare for GDPR compliance before May next year.

“It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention.”

The report added that the UK was "one of the most active regions for regulatory enforcement action in Europe", along with Italy with fines worth €3.3m (£2.86m).

PwC's latest CEO survey pointed out that 90% of CEOs around the world believe breaches of data privacy and ethics would have a negative impact on stakeholder trust.

GDPR becomes law from 25 May 2018 across the EU. It will impose new compliance obligations including new rules about breach disclosure, data portability and data use consent.

Organisations that fail to comply could face penalties of up to 4% of global turnover or €20m depending on which is higher, PwC warned.