Britain on the hook for £122bn in fines under European Union GDPR, claims PCI Security Standards Council

SMEs on the hook for £52bn, while large organisations could be forced to pay up £70bn

British businesses and other organisations could be fined as much as £122bn under the European Union's General Data Protection Regulation (GDPR) if they don't get their act together before it becomes law in less than two years.

That is the warning of the PCI Security Standards Council (PCI-SSC), which claims that if the level of cyber security incidents against organisations in the UK in 2015 is the same or worse after the GDPR comes into force, then British businesses, charities and government bodies could be fined as much as £122bn.

PCI-SSC bases its estimates on survey figures from the Office of National Statistics, which suggests that there were 2.46 million "cyber incidents" in 2015, with 90 per cent of large organisations supposedly suffering a security breach in 2015, while among SMEs the figure is 74 per cent.

Under existing data protection laws, large organisations would be on the hook for fines totalling £533m and SMEs £908m, according to PCI-SSC, if the Information Commissioner's Office (ICO) were to be notified of all of them, and levied the maximum fine on those incidents.

But if those same security lapses were judged under GDPR, PCI-SSC claims that major organisations could get smacked with fines of £70bn, while SMEs would be forced to fork up £52bn.

The estimate is very much theoretical and assumes that the organisations would have the maximum fines levied on them from day one.

Furthermore, data protection lawyers suggest that not only will different information commissioners across Europe take different attitudes, but that in the UK the ICO is unlikely to take a heavy-handed approach, at least initially.

Nevertheless, Jeremy King, international director at PCI-SSC, warned that companies still need to start preparing now.

"The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs," said King.

He added: "Companies, both large and small, need to act now and start putting in place robust standards and procedures to counter the cyber-security threat, or face the prospect of paying astronomical costs in regulatory fines and reputational harm to their brand."

It's not the first time that an astronomical figure has been put on the potential cost, in terms of fines, that the GDPR could impose on businesses in Britain - indeed, across the whole of the European Union. In July, consultants Capgemini published a similar survey, putting the figure even higher - £244bn.

The rising importance of cyber security - especially around personal data - has encouraged a rising number of organisations to appoint data protection officers to ensure that best practices and procedures are adopted organisation-wide.