Ahead of GDPR implementation...
Single Scottish firm caught out by data protection rules
A company was fined £80,000 after making more than 100,000 marketing calls to numbers on the Telephone Preference Service (TPS).
The single offence was among 91 enforcements across the UK and the penalty represented just 1.9% of the total £4.2m in fines issued to 54 organisations by the Information Commissioner’s Office. There was a single case in Northern Ireland.
Research by PwC uncovered the figures ahead of the introduction of the General Data Protection Regulation (GDPR) on Friday which updates privacy laws.
The total penalties imposed last year were a million pounds more than the previous year (35 fines with a total of £3.2m).
Under the GDPR, organisations risk fines of up to €20m or 4% of turnover if they fail to ensure compliance.
The ICO can currently issue monetary penalties of up to £500,000 and PwC’s analysis found that in 2017, 14 of the 54 fines issued (26%) were of more than £100,000.
Commenting on the findings, PwC’s head of cyber security in Scotland, Colin Slater, said: “While it is good to see Scotland leading the way in compliance, there remains an issue with marketing infringements and all businesses must ensure they are complying with the GDPR, given the scale of fines the ICO will be able to enforce from next year.”
Stewart Room, lead partner for GDPR and data protection at PwC, added: “Our analysis found that almost half of last year’s UK data protection enforcement actions were due to marketing infringements, but security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure.
“These are key areas for organisations to be mindful of as we move into this new era for data protection.
“The ICO has made it clear, however, that the GDPR is not about the increased fines and the maximum certainly won’t be the norm. It’s really about putting consumer rights at the heart of today’s data-centred world.
“There’s an option for organisations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust.”
He added: “Signs of progress are very encouraging. At board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success.
“Findings from our GDPR Readiness Assessments, which we’ve run with over 220 clients globally over the last two years, show that, in general, highly regulated sectors such as healthcare and financial services, which are used to dealing with regulatory change, tend to have a slight margin over others in terms of preparedness.”
Realistically, despite the two years of preparation time, many organisations won’t be fully compliant when GDPR comes into force because of its sheer complexity and the widespread business process changes often required.
Comment: Why GDPR is another Brussels muddle