Personal Data leaks are going to cost businesses more


It seems like every month another company is subject to a data leak – whether it’s through theft via a cyber attack or loss via a careless employee. Big names such as Pizza Hut, Equifax, Deloitte, Tesco Bank, Yahoo and HM Revenue & Customs have all been hit over the years and this number is only growing.

According to a survey performed for the UK government 46% of UK businesses were hit by a cyber breach or attack in 2016, up on the 24% reported in the same survey for the year previous.

To give an idea of the scale of the problem, the latest Breach Level Index report by Gemalto has revealed that almost 2 billion records have already been lost or stolen worldwide in the first six months of 2017, that’s 164% higher than the previous six months. This is before schemes such as the General Data Protection Regulation put more pressure on businesses to notify relevant authorities of data breaches – so this number is expected to rise.


With an increase in cyber attacks, there comes an increase in fines for businesses who didn’t manage to protect their data. Last year, Talk Talk were fined £400,000 by the UK Information Commissioner’s Office (ICO) – a record amount for these type of leaks.

Figures from the ICO on monetary penalties for breaching the Data Protection Act (1998) show an increase of not only the amount of fines issued but of the total cost of these fines.

  • 2017* – 52 Fines issued for a total of £3,977,500 (average fine £76,490)
  • 2016 – 32 Fines issued for a total of £3,059,000 (average fine £95,594)
  • 2015 – 19 Fines issued for a total of £2,216,250 (average fine £116,645)
  • 2014 – 11 Fines issued for a total of £1,152,500 (average fine £104,773)

* Figures given up to November 24th 2017

In addition to the fines already given by institutions like the UK’s Information Commissioner’s Office (ICO), businesses are facing legal action from those affected. Morrisons are the latest company to be sued with staff taking legal action after their personal details were leaked by a rogue employee in 2014.

The auditor responsible for the leak was jailed for eight years in 2015, and Morrisons were awarded £170,000 in compensation, but staff received none of this. Employees continue to argue that Morrisons was ultimately responsible for their personal data and they should be compensated for the “upset and distress caused by […] a failure to keep safe that information”.

Protecting Personal Data

Nationally Recognised Protection

The UK Government is aware of the importance of protecting against cyber attacks and, through the National Cyber Security Centre, they have released a number of recommendations for businesses looking to protect themselves.

The first is their 10 steps to cyber security. This guidance explains what a cyber attack is and how businesses can protect themselves against them, preventing access to personal information stored on their web servers and internal networks.

Another is the Cyber Essentials scheme which helps businesses to address 5 key security issues associated with common cyber attacks – to prevent loss of personal information as well as business-critical data and intellectual property.

As well as these government backed schemes, the British Standard BS 10012 can also prove beneficial. BS 10012 helps businesses to implement a Personal Information Management System that enables you to protect personal information from unauthorised access, as well as manage it both legally and responsibly.

Internationally Recognised Protection

For businesses looking for internationally supported protection, the General Data Protection Regulation (GDPR) and the ISO 27001 : 2013 Standard should be considered.

Proposed by the EU, and coming into force in May 2018, the GDPR sets out a number of requirements for the security of personal data, the protection of a data subject’s rights, and what actions you should take upon discovery of a data breach.

Based on international best-practice, ISO 27001 : 2013 focuses on Information Security as a whole. It outlines a set of controls which need to applied in order to operate a robust information security management system which addresses risks both online and within the workplace. ISO 27001 also takes into consideration business continuity and continual improvement for the continued success of the business.

Need help with your Information Security options?

If you are interested in securing personal information and protecting your business from cyber attacks, please speak with one of our experienced Certification Development Consultant today by calling 0333 344 3646 or by emailing [email protected].

Sign up to get the latest in your inbox

    • Email address

About the author

  • Name:

    Michelle-Louise Janion

  • Company:

    Marketing Executive

  • Bio:

    Michelle worked for Citation ISO Certification from 2017 to 2019, producing engaging content around ISO Standards and other compliance related topics.


QMS International use cookies to provide you with a better site experience, enable features and to help us understand how our website is being used.

By continuing, you consent to the use of cookies in accordance with our Cookie Policy

Allow All Cookies

Allow Strictly Necessary Cookies Only