It is unsurprising that some companies have traditionally taken a half-hearted approach to data protection compliance. Until recently, small fines for violations combined with the Information Commissioner’s Office’s seeming lack of appetite for enforcement.
However, last year saw penalties increase significantly, with serious offences now punishable by a fine of up to £500,000. We have also seen the implementation of the e-privacy directive, new restrictions on cookie use, tracking and customer profiling, as well as a changed ICO enforcer with new priorities.
The most significant development, and one that should keep CEOs awake at night, is the proposed EU regulation which includes a new possible ‘nuclear’ fine of up to 2% of global turnover for serious data protection breaches. Companies can no longer think of data privacy as just a dull compliance topic.
It is fair to say that data protection due diligence should now be a real boardroom issue, not a backroom issue. The storm of new laws, fines and enforcement, with more to come, should fast-track this to the top of board agendas.
Rafi Azim-Khan, Partner, Pillsbury