It’s been a busy few weeks in the world of personal data protection. Hot on the heels of the Yahoo breach revelation, two announcements from the Information Commissioner’s Office (ICO) have underscored the importance of robust data protection practices. These statements may not have grabbed the headlines in the same way Yahoo did, but they are revelatory in their own right and shed new light on the significance of the General DataProtection Regulation (GDPR).
Firstly, the UK Information Commissioner, Elizabeth Denham, echoed calls for the government to embrace the Regulation post-Brexit. Speaking to Radio4, she explained that it’s ‘extremely likely’ that GDPR will come into effect before Brexit takes place and urged the government to adopt the Regulation in the long term, declaring, “I don’t think Brexit should mean Brexit when it comes to standards of data protection.”
This announcement was followed by the news that Denham’s office has levied a record fine of £400,000 against TalkTalk for a 2015 breach that exposed the personal data of 150,000 of its customers, including the sensitive financial data of more than 15,000 people.
These announcements may seem relatively unremarkable at first glance but they reflect a subtle shift in the data protection landscape. Denham’s comments on Brexit came within days of UK Prime Minister, Theresa May, announcing that Article 50 will be triggered in the first quarter of 2017. As the timetable for Brexit becomes clearer, the importance of achieving GDPR compliance is coming into focus. If the government sticks to its guns, GDPR will enter into national law before Britain leaves the EU meaning UK businesses must embrace the Regulation in the short term if they’re to avoid penalties.
They may well have to get used to the Regulation. It’s unlikely that the words of the Information Commissioner will go unheeded and despite the Great Repeal Bill, the government can still choose to continue with GDPR post-Brexit if it wishes to do so. Even if chooses not to, a new data protection framework would have to mirror GDPR to allow the UK to trade with the Single Market without any disadvantages.
The £400,000 fine handed down by the Information Commissioner’s Office is also telling as it suggests a hardening of its stance on personal data breaches. In her relatively short tenure, Denham has repeatedly stressed the importance of protecting customers and this fine indicates that her office won’t tolerate inadequate security practices when it comes to personal data. Denham’s statement regarding the breach was damning, ‘TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease.”
Although the TalkTalk fine was the largest on record, industry commentators were quick to point out that the size of the penalty would have been significantly larger under GDPR. The Regulation mandates that businesses report a data breach within 72 hours or face a fine equivalent to 4% of their global turnover. Based on its turnover in 2015, TalkTalk would have had to pay £73 million.
This figure serves as a stark reminder of the cost of non-compliance with GDPR and if the current trend of large-scale data breaches continues, fines like these will no doubt become the norm. UK businesses still have time to address gaps in their information security posture but this is only part of the compliance challenge. They must also ensure they’re processing and using data in line with the principles of the Regulation, and this process may be a complex and time-consuming undertaking in its own right. With only 19 months to go until GDPR enters into UK law, the time has come to take the Regulation seriously.