There are two words that enter many external audit conversations, one is Brexit and the other is GDPR. The latter enabled all European countries to base their legislation on the same regulation which for companies trading across Europe makes things a lot easier. If you are a company with European offices, then policies can be easily shared and consistently communicated.
Preventing “events” (near misses/possible future breaches) from becoming “incidents” (probable/actual breaches) is essential to avoid fines. Here are just a few of the 27 companies fined by the ICO since the launch of GDPR*:
ICO divide data into two categories: the breaching of PECR (Privacy and Electronic Communications Regulations) and the breaching of the DPA (Data Protection Act). Over the last couple of years, the fines for each are as follows*:
May 25th 2017 – May 24th 2018 = £1,430,000 (DPA) + £3,262,500 (PECR)
May 25th 2018 – May 24th 2019 = £2,310,000 (DPA) + £1,597,000 (PECR)
Interestingly, PECR fines have dipped while DPA fines have risen significantly. Fines were issued across a variety of sectors including charity, health, marketing, media, telecoms, finance, transport & leisure, government and general business. The damage to a company’s reputation when an ICO fine is made public (which they all are) could be catastrophic for business. Word has it that the ICO are more likely to show leniency if they see that a company has made a lot of effort – e.g. has delivered training, conducted audits etc.
So; what is the risk appetite of your business?
*statistics from www.ico.org.uk