Earlier this year, the Information Commissioner’s Office announced that telecoms company TalkTalk would be issued with a £400k fine after investigators found that preventable weaknesses allowed a cyber attack to gain access to the personal data of over 150,000 customers.
TalkTalk called the fine “disappointing”, but one could argue they got off very lightly indeed. Had the attack happened in 2018, after the implementation of the EU’s new General Data Protection Regulation, the fine would have been staggeringly higher…
What’s the Cost Now?
At the moment, under the UK Data Protection Act, the ICO can fine a company up to £500k if it finds that a breached data controller’s security systems are in contravention of the DPA, either deliberately or in a way that the data controller should have known about but failed to prevent. Fines are decided by taking into account the company’s sector, size, and resources.
However, as technology advances and more and more of our life moves online, data breaches are becoming ever more serious in impact and the severity of penalties is increasing to reflect this.
What Will the Cost Be in the Future?
When the new GDPR comes into effect in 2018, companies will be liable to face fines of up to €20 million or 4% of their entire annual turnover – whichever works out to be higher.
The impact of this on a business is undeniable. It’s likely that many companies who suffer a hack and are found to be in breach of data protection laws will be forced into insolvency. For example, the famous PlayStation hack of 2011 cost Sony Computer Entertainment Europe £250k. But with an annual turnover somewhere in the billions, the cost of a similar hack after the new regulations come in would have been substantially higher.
Won’t We Be Off the Hook After Brexit?
Afraid not! The GDPR regulations apply to all companies that work within the EU or serve EU customers so, if your company meets these criteria, it will have to comply. In all likelihood, the UK will also adhere to EU security regulations anyway, even if/when Brexit happens, so it’s important to be aware of the risks now.
If you’re looking for secure payment solutions which will help you descope your contact center from the requirements of PCI DSS, please get in touch with our data security consultants today. We’ll be able to advise you on the most practical PCI solution to take your business out of the firing line of the new GDPR legislation.