The average value of fines issued for data breaches has doubled in the past year to September 2018, from £73,000 to £146,000, adding to fears of large companies post-GDPR.
The total value of penalties imposed by the Information Commissioner’s Office (ICO) rose 24% on the previous year to £4.98m. Businesses expect the introduction of the GDPR (General Data Protection Regulations), which came into effect on 25 May, to lead to higher penalties—fines of up to €20m or 4% of the organisation’s turnover can be imposed under the GDPR, compared to a maximum of £500,000 under previous legislation.
The UK’s first GDPR penalty notice was issued against AggregateIQ in September after it accessed the data of up to 87 million Facebook users. However, the ICO has said it will not be making early examples of businesses for minor infringements by issuing large fines.
Richard Breavington, partner at RPC, said: ‘A doubling in the average size of a fine should serve as a wake-up call to businesses.
‘Given that there seems to be no slowdown in the number of cyber-attacks today—businesses need to see how they can mitigate the risks to their customer when there is an attack. For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.’
