The UK ICO has just fined Carphone Warehouse (part of Dixons Carphone) £400k. This is for serious failures in handling customer and staff data. £400k is 80% of the current maximum fine of £500k that the ICO can hand out. £400k is also very small change for Dixons Carphone, it probably wouldn’t even be noticed on the balance sheet.
So lets look at this in a post GDPR world after May 25th 2018. Maximum fines that can be handed out are up to £17.7m (€20m) or 4% of Global annual turnover which ever is the greater. Carphone Warehouse is part of Dixons Carphone so it is Dixons Carphone who will cop for the penalty post GDPR launch.
Lets do the maths:
Dixons Carphone turnover up to April 29th 2017 was £10.5bn. (Way over £17.7m so into the 4% penalty bracket we go)
4% of £10.5bn = £420m.
80% of £420m = £336m.
So based on the 80% the ICO dished out in the pre GDPR world, Dixons Carphone could have been looking at a fine of £336m in a post GDPR world. (Sell that to the shareholders Mr Chairperson!). You can hear the sigh of relief from here along with the creaking of the balance sheet.
Even if the ICO was feeling compasoinate and only issued a tier 2 fine, this would still equate to around £168m.
As a GDPR Practitioner I’m am not trying to scaremonger, (ther are plenty of pirates out there doing that already) and the ICO have said that fines are a tool of last resort. They (the ICO) would rather work with organisations to help get an organisation doing the right thing when it comes to data protection, and quite rightly so, but… it does make you think. Could your organisation take a hit of up to 4% of it’s turnover? Probably Not!
Besides the fine though, the damage to brand and reputation could be considerably more.
Get in touch with BMGUK Consultancy Ltd if you need to sort your GDPR compliance project and reduce the risk of significant penalties like this.