IT may have disappeared from the headlines but GDPR has not gone away – and the first fines are expected soon, a cyber-security firm has warned.

The General Data Protection Regulation came into effect last May and comes with the risk of a penalty up to 20million euros or four per cent of annual turnover.

But many companies are still not fully compliant with its rules on how businesses and public bodies handle and store personal data, according to Poole company C3IA Solutions.

It says many bosses have not followed through on their early preparation for GDPR implementation now that it has fallen from the public conversation.

Rupert Irons, threat and risk management sector manager, said: “We are awaiting judgements and possible fines for companies that have reported breaches under the new regulations.”

There has been a large increase in reports of data breaches and complaints from the public, the company says. The Information Commissioner’s Office (ICO) has expanded by 60 per cent since 2016 and is still growing in response to demand.

The commissioner’s office has issued more guidance on implementation, so any period of grace is ending.

Last September, British Airways revealed it had suffered a data breach in which up to 380,000 transactions had been affected.

Mr Irons said: “Many believe that the British Airways breach reported in the autumn may become the test case for how they are enforced in the UK. This is likely to focus minds and act as a reminder to businesses to make sure they are compliant.

“It’s worth remembering that failure to comply with GDPR can result in fines of 20 million euros, or four per cent of an organisation’s global turnover, whichever is greater.

“Of course, it would be much better for companies to look at GDPR now rather than wait for contact from the ICO after a data breach has been reported.

“But our work across the security sector leads us to believe that many firms are not as prepared as they ought to be.

“For example, the new guidance has details about information security – just a part of what GDPR covers. It makes clear that this is not just about ‘cyber-security’, but also about physical security and organisational security measures.

“Not only will poor information security leave a business in breach of GDPR, but risks real harm and distress to people as well as various types of fraud.”

Nearly 60,000 breaches had been reported across Europe since GDPR came into effect last year, Mr Irons said.

“Those companies we have been working with really benefit from our whole approach of looking at all their security.”