LONDON — Companies that expose their customers information in data breaches could face far harsher penalties — including fines of up to 4% of their global annual turnover.
On Monday, the British government announced plans to strengthen UK data protection law with the a new Data Protection Bill.
Among the plans laid out in the bill is to give the ICO (Information Commissioner's Office) regulator the power to fine companies up to £17 million, or 4% of global turnover, in the "most serious data breaches."
It's a significant increase — the maximum fine that the ICO can currently levy is for £500,000.
It's likely that these powers would be used in major breaches like the 2015 hack of British telecoms firm TalkTalk that saw more than 150,000 customers' data compromised. Hackers were able to gain access using a rudimentary attack that has been known about for more than 15 years, and in its aftermath a parliamentary report called for businesses breached in similar ways to face "significant fines."
The Data Protection Bill will also make it easier for people to withdraw consent for the use of their personal data, and expand the definition of "personal data" so that it includes DNA, internet cookies, and IP addresses, among other changes.
In a statement, secretary for digital Matt Hancock said: "Our measures are designed to support businesses in their use of data, and give consumers the confidence that their data is protected and those who misuse it will be held to account.
"The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive."