NI: Pinsent Masons warns of tougher EU data breach fines for businesses
A leading Belfast regulatory expert at Pinsent Masons has said a potential massive hike in EU data breach fines could take a heavy toll on businesses, particularly in Northern Ireland.
Analysis of the EU’s deal on the wording of a new General Data Protection Regulation found that the new levy could leave any business with a turnover in excess of £12.5 million in a worse-off position.
Laura Gillespie, litigation and regulatory partner at Pinsent Masons, said: “In recent research with the NI Chamber of Commerce we highlighted that 4 out of 5 NI businesses identified a data breach as their biggest crisis threat.
“These changes have been long signposted and reflect the increasing threat and seriousness with which authorities will view data handling and security. This may explain the radical change of approach that could represent a massive increase on the current £0.5m cap.”
“All of the 2015 Top 100 have a turnover far in excess of £12.5m and many other businesses in Northern Ireland will too; this will mean that those businesses could face fines of millions of pounds under the new regime. Of course, those with a turnover of less than £12.5m will still face fines of up to £500,000 if a breach occurs.”
A key element of the new reforms is the introduction of mandatory reporting of a serious breach to relevant authorities.
There is discretion under the current regime, but the new regulation means that organisations experiencing a data breach will have to report within 72 hours of becoming aware.
The notification to data protection authorities must include details such as the type of personal data compromised, the number of people the incident has affected, the likely consequences of the breach and what measures have been taken to mitigate its possible adverse effects.
The regulation is progressing through the European legislative regime and is not expected to come into force for some time. Businesses therefore have time to review their systems for compliance.
Ms Gillespie added: “The force behind the new regulation emphasises the need to take data-security seriously. To protect themselves businesses should invest in their IT systems and training to demonstrate having taken all reasonable and proportionate steps to reduce the risk.
“However no system is perfect, and businesses should also have the appropriate protocols in place via an Incident Response Plan so breaches can be identified, contained and rectified in a timely manner.”