Companies must prepare for new tougher EU rules on data protection, or face big fines, PwC has warned.
The financial services firm said new rules, coming into effect next May, could see fines soar to 20m euros (£17.4m) or more.
Fines for data breaches had already risen, from 18 in 2015, to 35 in 2016, amounting to £3.2m in total, said PwC.
There were also 23 enforcement notices, where organisations were required to improve compliance – a 155% increase.
According to PwC’s research, the UK is one of the most active places in Europe for regulatory enforcement in this area, along with Italy.
- WannaCry: What can you do to protect your business?
- ‘Cash for hacking tools’ sparks debate
Penalties issued by the UK Information Commissioner’s Office in 2016 included a record £400,000 fine for telecoms firm TalkTalk over security failings that allowed a cyber attacker to access customer data “with ease”.
In 2015 the online pharmacy Pharmacy 2U was also told to pay £130,000 after it sold details of more than 20,000 customers to marketing companies without their consent.
However, PwC said that when the new General Data Protection Regulation (GDPR) becomes law across the EU next May, firms would face much tougher obligations and penalties.
In particular, the Information Commissioner’s Office will be able to issue fines of up to 4% of global turnover, or 20m euros – whichever is highest. The regulator can only issues fines of up to £500,000 at present.
“UK organisations must use the remaining time to prepare for GDPR compliance before May next year,” said Stewart Room, an expert in global cybersecurity and data protection at PwC.
The UK is due to adopt the new rules before it leaves the EU, but PwC said it was unlikely to water down the protections after it left the union.