• info@unlokq.co.uk
  • UK
  • 07826 892222
    28 Apr 18

    GDPR – Storm in an IT cup?


    I always find it enlightening as an alleged IT guy when legal types talk about GDPR. They have a much more pragmatic view of its implications as opposed to those in IT. I will relay some numbers that I heard recently whilst listening to a seminar.

    • 1
      For the year 2016 there were 16 instances of organisations being fined by the ICO in the UK under current data protection regulations.
    • 2
      This is from a total of 1950 self reported breaches
    • 3
      The average fine was £100k per fine, with TalkTalk being the main contributor with a sole fine of £400k.
    • 4
      The deputy ICO has stated that the number of self reported breaches will increase to 30,000 after GDPR is in force

    Let’s first look at the figures that without anything else changing. 30000 self reported breaches – using the same conversion rate (reports to fines) of a staggering 0.8% we can expect 246 fines. Given that for companies with a turnover of less than €500m the fine will be €20m then you would expect the fines that are collected to be close to £5bn. Very impressive when compared to the £1.6m collected!

    But is this realistic? Let’s look at some reasons why the fines may not reach these heady heights;

    • 1
      The capacity of the ICO to handle a 15x increase in reported breaches. Though the ICO has been granted additional resource, it is not by THAT much. Coupled with the usual ‘visits’ and warnings that are par for the course hitting 246 fines is highly unlikely.
    • 2
      With no disrespect, the capability of litigation staff within the ICO is being eroded. Basically, there is a shortage of staff with solid GDPR knowledge. They are being pulled from the ICO into the private sector where the wages are higher. The ICO will only litigate in cases that they are sure that they can win. Loses can be expensive in real and reputational terms. The targets are likely to be; 
    • 1
      Those where there is a political will to attack specific cases
    • 2
      Those with smaller legal teams than those of the ICO – since protracted cases of arguing black is white is a drain on finite resources
    • 3
      Obvious breaches.
    • 3
      The types of organisation that ‘self-report’. In short, these are of 2 types;
    • 1
      Telcos – under a legal obligation since 2011
    • 2
      Government departments and other agencies – that have no risk profile

    For those that DO understand risk. i.e every other organisation within the UK and beyond - what does this mean? Well, simply put


    Harm can also be of 2 types (according to the ICO);

    • 1
      Direct monetary harm in the form of the fine -- we can use the €20m as a good start point.
    • 2
      Indirect harm through loss of income from reputational damage to your organisation

    ​Leaving the reputational damage aside for the moment – you can look at the reputational impact for Target in the US if you belive there is actually any reputational harm caused. Let’s deal with the probability component from a purely financial perspective.

    We know that there are around 3m businesses in the UK and around half (actually 46%) will have a breach within any reporting year. This is proof in itself that organisations play the risk game – not the game of risk – since the deputy ICO expects only 30000 of 1.5m (0.02%) will *actually* self report.

    If this is the case, and taking the deputy ICOs figure of 30000 as gospel this would give the total monetary risk of around €400k (€20m x 0.02%). But we have previously calculated that a theoretical maximum of only around 246 (of 1.5m) of these would convert to fines a risk of around €4k, not very much right? But this is still assuming that the ICO has the capacity to deal with 246 litigations, since this would require a 15x increase in resources we can safely assume that this is too high. A more realistic estimate is if we assume that resource within the ICO has doubled (it hasn’t!) they are only actually going to fine 32 (still of 1.5m) organisations equating to €400 risk.

    Taken literally, this means that you shouldn’t be spending any more than €400 on your GDPR compliance if you are turning over less than €500m. This is clearly not the advice but it is in the numbers.

    Put another way, your chances of getting fined are so low that you should not be expecting to get fined at all -- regardless of the hype GDPR is currently getting on the run up to May 25th.

    This message needs to be relayed through your business and flowed down to the IT teams who may be spending money hand over first in their panic to solve a problem with limited real impact.