Under the General Data Protection Regulation (GDPR),  the cap on each fine will be raised to £16.5 million (or four per cent of worldwide turnover of the entity being fined) – 33 times more than the current maximum £500,000 fine. £3.6 million in fines were imposed last year in the UK last year.  In the UK alone, total fines issued by the Information Commissioner’s Office in the UK for data breaches under new regulations could top £118 million in its first full year as the size of fines regulators can impose soars. However, with regulators allowed to impose turnover based fines and with more fineable offences being introduced even this estimated level of fines could prove conservative over the long term.

Biggest challenge 

Matthew Holman, head of UK law firm EMW, comments: 'The GDPR will represent the biggest change to the law relating to data in 20 years and companies are facing significantly higher fines than they do now.' He said that one of the biggest challenges faced by businesses was lack of senior management buy-in. 'Larger businesses are mostly on top of compliance, but businesses of all sizes, no matter how small, need to reach that point, however many are nowhere near it. The GDPR will apply to all businesses, regardless of size, sector, or turnover.'

Companies not prepared

Mr Holamn says that many businesses will not be prepared for the new regime when it kicks in. 'Average industry estimates for creation and execution of a GDPR compliance project is 12 to 15 months, so for those businesses that have not started the clock is really ticking for them to begin,' he says. Furthermore, email data is one of the biggest challenges for compliance. 'Failure to respond promptly to subject access requests or right to be forgotten requests could result in significant fines, and the more email data you have, the harder it is to respond quickly and in a compliant manner.'

Specific steps

Businesses of all sizes must be compliant with the new GDPR in just a year, by 25 May 2018. The new regulations place stronger legal obligations on companies and ensure businesses take specific steps to more securely collect, store, and use personal data.  Some of the key changes brought in by the GDPR include:

• The ‘right to be forgotten’ so individuals can ask companies to delete their personal data

• Making it harder for companies to get consent to use data

• Businesses must appoint a data protection officer, who is expected to report directly to the highest management level