Scottish businesses most compliant with data laws in Britain - PwC

Scotland has Britain’s best compliance record with data protection laws and is amongst the best in the UK, with just 1.9 per cent of the total £4.2m in fines being issued north of the Border.

Last year, from a total of 91 enforcements across the UK, there was just one breach of current data protection laws in Scotland leading to action from the Information Commissioner’s Office (ICO) There was also one ICO intervention with a single organisation in Northern Ireland.

With just days until General Data Protection Regulation comes into force on Friday, research from PwC has found that just a single business based in Scotland was fined by the ICO.

This led to a fine of £80,000 after the company in question was found to have made more than 100,000 marketing calls to numbers on the Telephone Preference Service (TPS).

Of the total 91 enforcement actions for breaches of current data protection laws taken by the ICO last year, 54 monetary penalties were issued to UK organisations, totalling £4,207,500 - an increase of nearly a million pounds over the previous year (35 fines with a total of £3,245,500).

Under the GDPR, organisations risk larger fines in the year ahead if they fail to ensure compliance.

As part of the global Privacy & Security Enforcement Tracker, PwC has analysed the UK Information Commissioner’s Office (ICO) data protection enforcement actions over the past four years, looking at monetary penalties, enforcement notices, prosecutions and undertakings. The ICO can currently issue monetary penalties of up to £500,000 and PwC’s analysis found that in 2017, 14 of the 54 fines issued (26 per cent) were of more than £100,000. Under GDPR, the fines for failing to comply can be up to 4 per cent of global turnover or €20m, depending on which is higher.

PwC’s head of cyber security in Scotland, Colin Slater, said: “While it is good to see Scotland leading the way in compliance, there remains an issue with marketing infringements and all businesses must ensure they are complying with ​the GDPR, given the scale of fines the ICO will be able to enforce from next year.”

Stewart Room, lead partner for GDPR and data protection at PwC, said: “Our analysis found that almost half of last year’s UK data protection enforcement actions were due to marketing infringements, but security breaches and misusing data for profiling purposes also continued to appear as substantial causes of failure. These are key areas for organisations to be mindful of as we move into this new era for data protection.

“The ICO has made it clear, however, that the GDPR is not about the increased fines and the maximum certainly won’t be the norm. It’s really about putting consumer rights at the heart of today’s data-centred world. There’s an option for organisations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust.

“Signs of progress are very encouraging. At Board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success. Findings from our GDPR Readiness Assessments, which we’ve run with over 220 clients globally over the last two years, show that, in general, highly regulated sectors such as healthcare and financial services, which are used to dealing with regulatory change, tend to have a slight margin over others in terms of preparedness.”

Realistically, despite the two years of preparation time, many organisations won’t be fully compliant when GDPR comes into force because of its sheer complexity and the widespread business process changes often required.

Designed to continue to support clients in this new data protection era, PwC will launch its MyDPO range of services on 25th May. These services will support Data Protection Officers and their teams to respond in the event of crisis situations (such as the new 72 hour data breach disclosure rule), as well as to assess compliance and breach readiness, and with ongoing data protection strategy and governance work such as managing their privacy mailboxes.