The Information Commissioner's Office (ICO) understands that information security breaches can occur within the most diligent of businesses. 

While the timeframe within which a breach is reported does not affect the amount of fine and neither does the amount of information one holds, ability to demonstrate that robust preventative measures have been taken plays an important role.

In addition, when identifying the level of fine, the company’s ability to pay will undoubtedly be taken into consideration as well.

For example, according to Article 83 of the legislation fines are to be "effective, proportionate and dissuasive".

Due regard will be taken to damage suffered, preventive measures taken (technical and organisational), previous incidents, co-operation with the ICO and prompt reporting. 

It is important to remember that this legislation is not about fines, but rather about preventing invasion of privacy and putting consumers and citizens first.

Key articles to look out for in the legislation:

• Article 83: "General conditions for imposing administrative fines"
• Article 33: “Notification of a personal data breach to the supervisory authority”

5. What are the top five pieces of advice on GDPR? 

1. Take the time to understand the Key Definitions on the ICO’s website regarding GDPR. Have that base knowledge before you start reviewing everything; it is important to take time to digest the information being published by the ICO.
2. One of the very common opportunities for hackers is the weakness of the system, therefore it is absolutely imperative to ensure that back-ups are up-to-date and a web application firewall, one of the key applications, is in place.
3. It is also important to understand the 72-hour rule, which is often misinterpreted. One is obligated to report within the first 72 hours of “becoming aware” of a breach as opposed to 72 hours since the “actual breach” taking place.
4.  It is equally important to ensure that there are “out of office” measures in place, particularly for those instances when a breach is identified on a Friday afternoon.
5. Take note of Article 32: “Security of Processing” in particular, which sits at the heart of the legislation and is of great importance. “Processing”, for example, includes in its definition, simply holding that information, consciously so, or otherwise, in one’s possession. If you can see it, you’re processing it. It is believed that bank account numbers, for example, are “Sensitive Personal Data”. While this is informally accepted, bank details are not categorised in the legislation as such. So is it really important that you understand what sensitive data is when reviewing your business. Articles 9 and 10 will tell you the difference.

Steve Andrews is head of managed services at Focus Solutions