SMEs face larger fines in data protection rules update
BOTH LARGE and small firms need to ensure they are fully compliant with incoming data protection rules – or risk huge fines from the regulators. While the current maximum fine for UK companies that mishandle data sits at 500,000, the EU’s new General Data Protection Regulation will increase that limit to €20 million (£15.5 million) or four per cent of a firm’s global annual turnover, whichever is greater.
The legislation’s two-year transitional period has already begun, and firms need to make sure they are fully compliant. The Information Commissioner’s Office (ICO) has said the UK’s data protection standards will likely remain on a par with the European Union’s, despite the Brexit vote. “If the UK wants to trade with with the single market on equal terms, we would have to prove ‘adequacy’,” an ICO spokesman said. “In other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.” “We have a lot to do within these two years,” Rocio de la Cruz, a privacy and data protection solicitor at Birmingham City Council, told Business Reporter.
Many firms mistakenly believe they are compliant with existing regulations and need to ensure their security is adequate before it is too late, she said. “It is something they need to work on,” de la Cruz explained. “A lot of companies think they are fully compliant with the Data Protection Act but they do not review policies and security measures. “Some companies are more progressed in this, but the majority are outdated and need to change this. You have to check all the policies and security measures are in place, make sure you are ready to share that data and audit the other party.”