Could GDPR be the next PPI?

27 April 2017

Met Police discuss possibility at breakfast briefing on cyber crime


Victims of cyber-attacks are currently under no regulatory requirement to report it, even if the police advise them to do so.

The General Data Protection Regulation (GDPR) which becomes enforceable from 25 May next year, will change all this. It applies to all companies, anywhere in the world, that process European Union (EU) citizen’s personal data, and has the power to fine companies millions if they fail to report a notifiable personal data breach to the relevant authorities.

 “This is potentially the next PPI as it has an individual compensation element, so victims can go for compensation,” says Detective chief inspector Andrew Gould, head of the Metropolitan Police Cyber Crime Unit.

“If thousands are victims of one breach, law firms may want to take it on a ‘no-win, no-fee’ basis.

“Extrapolating from ICO (Information Commissioner’s Office) fines to GDPR rules, an average fine of £11m per breach would be imposed once the new regulations come into force next year.”

During the briefing, Detective chief inspector Gould discussed Met Police improvements in tackling cyber-crime, including the appointment of 300 new staff and the setting up of Falcon (Fraud and Linked Crime Online) unit.

According to a survey by the ONS (Office for National Statistics), cyber-crime represents 48 per cent of all reported crime today, even though 90 per cent of cyber-crime is still believed to go unreported.

Quantifying the threats, Detective chief inspector Gould put organised crime at the top, followed by state actors, insider threats (both intentional and unintentional), hacktivists with political motivations and then terrorists.

Edward Cowen, CEO at Remora, which hosted the briefing, said financial organisations which find themselves the victims of cyber-crime tend to cover-up what has happened, when reporting quickly can prevent further loss and increase the likelihood of the criminal being caught.

He said that “Once something happens people want to spend,” but until it does cyber-security is still fourth or fifth on the risk-list.

To read SC magazine’s report on the briefing visit

For more on GDPR and what it means for your business, read Amethyst’s report:

  • Amethyst can help your business get prepared for GDPR with our team of highly qualified and experiences specialists; many have more than 20 years’ experience of in the fields of Data Protection, Cyber Security and Information Assurance.

  • To find out how we can help, contact us today:






Contact us for more information

<< Back to Latest News items