UK companies and organisations could face huge fines when the European Union's General Data Protection Regulation (GDPR) becomes law.
The PCI Security Standards Council (PCI-SSC) warned that fines as high as £122bn could have been levied against UK organisations in 2015 based on the number of cyber security incidents.
PCI-SSC bases its estimates on survey figures from the Office of National Statistics, which suggests that there were 2.46 million 'cyber incidents' in 2015. Around 90 per cent of large organisations and 74 per cent of SMEs supposedly suffered a security breach in 2015.
Large organisations would face fines totalling £533m and SMEs £908m under existing data protection laws, according to the PCI-SSC, if the Information Commissioner's Office (ICO) was notified of every breach and imposed the maximum penalty.
The same security lapses under the GDPR would bump these figures up to £70bn for major organisations and £52bn for SMEs, the PCI-SSC said.
The estimate is very much theoretical and assumes that the organisations would have the maximum fines levied from day one.
Furthermore, data protection lawyers believe that different information commissioners across Europe will have different attitudes, and that the ICO is unlikely to take a heavy-handed approach, at least initially.
The numbers also ignore the fact that the Brexit vote makes it unclear exactly how the law will be enforced in the UK. Businesses will need to act within the GDPR framework to operate internationally, but the ICO may set up different fining mechanisms.
Nevertheless, Jeremy King, international director at the PCI-SSC, warned that companies need to start preparing now.
"The new EU legislation will be an absolute game-changer for large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs," he said.
"Companies large and small need to act now and start putting in place robust standards and procedures to counter the cyber security threat, or face the prospect of paying astronomical costs in regulatory fines and reputation harm to their brand."
It's not the first time that a huge figure has been put on the potential fines that the GDPR could impose on businesses in Britain and across the European Union. Consultants Capgemini published a similar survey in July putting the figure at £244bn.
The rising importance of cyber security, especially around personal data, has encouraged a rising number of organisations to appoint data protection officers to ensure the adoption of best practices and procedures.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers