This month, the information commissioner’ s office (ICO) fines TalkTalk for failing to adequately protect its customers’ personal data. The record-breaking £400,000 penalty followed a cyberattack of which the telecoms provider was the victim, however the incident brought to light serious failings in its data practices.
The incident comes at a turning point in privacy law, with the new European General Data Protection Regulation (GDPR) set to introduce severe penalties for data breaches, and the likely escalation of data protection to a corporate board level concern. If the GDPR was already in force, the fines TalkTalk might have rounded up to four per cent of its annual worldwide turnover – £71,800,000.
TalkTalk will be by no means unique among businesses in having gaps and weaknesses in its data handling practices. Many businesses, public bodies and charities are likely to have significant compliance gaps that could be brought to light if a cyberattack were to occur.
The GDPR
The first draft of the GDPR was published by the European Commission in January 2012, in response to calls for reform of existing law. After protracted negotiations, it became law on 25 May 2016, but its provisions will take effect after a two year “sunrise” period. As a regulation, the GDPR will take immediate effect in each European member state. This contrasts with its predecessor, Directive 95/46/EC (the Data Protection Directive), which was brought into force through national implementing legislation such as the Data Protection Act 1998 in the UK.
The GDPR will introduce a wide range of changes, and its potentially heavy penalties were a calculated move by the European Commission to escalate the importance of data protection to a corporate board level topic. However, there are widespread reports that many organisations are not prepared for – or in the worst cases, completely unaware of – the GDPR. There are a number of potential reasons for this, in particular, that the GDPR took so long to negotiate that many thought it would never come into force at all, and of course the EU Referendum result.
As an EU regulation, many may have believed, perhaps not surprisingly, that the GDPR would not become law in the UK following the “Leave” vote. However, as the post-Referendum dust starts to settle, for a number of legal and trade-related reasons, it seems more than likely that the UK will adopt the GDPR – and firms are at risk of facing the fines TalkTalk found itself with. Indeed Elizabeth Denham, the recently-appointed information commissioner recently commented in a BBC Radio 4 interview that “Brexit shouldn’t mean Brexit when it comes to standards of data protection.”
How organisations can prepare to avoid the fines TalkTalk will be paying
Businesses have just over 18 months to prepare for the GDPR coming into force. The good news is that many of its principles and concepts are similar to those of the Data Protection Act 1998. Accordingly, a good starting point would be to measure compliance with existing law, identifying compliance gaps and developing a rectification plan. Organisations should then consider the changes that the GDPR will introduce, and how these might affect them. For example: Will they have to appoint a data protection officer; do their data systems enable them to meet “right to be forgotten” requests; and do they have a robust data breach reporting policy in place?
The ICO’s message to UK organisations seems clear: The GDPR is coming and companies that fail to comply with their data protection obligations risk serious consequences. There is limited time to prepare and UK businesses should not waste a moment.
This article was first published in Real Business on 17 October 2016.