03 Oct 2017

Businesses face insolvency over data breach fines

Business say they face the risk of insolvency if they had to pay new maximum fines for data breach.


Over half of UK small businesses and nearly one third of larger companies are still not familiar with the General Data Protection Regulation (GDPR) despite its introduction being now less than a year away. The worst performing sectors include real estate and construction, where 35 per cent of senior decision-makers across all real estate businesses admit they are not familiar with General Data Protection Regulation (GDPR).

Insolvency risk

The research, carried out by London law firm Collyer Bristow,  also found that 18 per cent of businesses said they would be at risk of going insolvent if they were forced to pay the new, higher maximum fines allowable. Under the GDPR, organisations that breach it will be subject to fines of up to €20 million or four per cent of worldwide turnover, whichever is higher. Previously, fines were set at a maximum of £500,000.


The new GDPR makes a significant tightening of data protection compliance regulation and comes into force on 25 May 2018. It harmonises data protection rules across the European Union and applies to all organisations collecting personal data. Lack of knowledge of the GDPR across all businesses is still high, with over a quarter (27 per cent) of senior decision-makers at all UK businesses not familiar with the upcoming changes.

Further findings from the research reveal:

57 per cent of businesses’ senior management have little or no direct involvement with data protection

34 per cent of businesses have no plans to perform a data risk assessment in 2017

23 per cent of business have no data breach contingency plan in place

20 per cent of businesses have still taken not steps to prepare for the GDPR


Patrick Wheeler, partner and head of intellectual property and data protection at Collyer Bristow, said: 'It cannot be overstated just how far reaching a change the GDPR will be to the data protection landscape in the UK. It impacts any business that deals with personal data – no matter how small. The potentially-enormous penalties mean that no business can afford to treat its data protection policies and procedures as a low priority.' He added that 'the new regime comes at a time when data is becoming increasingly important to businesses. Owning and exploiting customer data is now a key part of a business’ competitive strength – meaning the GDPR really is raising the stakes.'