Online crime against retailers rose by 30% over the last year, according to a new crime survey published by the Home Office, raising concerns about the sector's preparedness for new data protection rules.

The 'commercial victimisation survey' found that there were 787 incidents of crime per 1,000 retail premises in 2016, up from 603 in 2015. The type of crimes experienced included hacking, website vandalism, viruses and the theft of money and information.

The figures support the findings of a recent survey by the British Retail Consortium (BRC) which revealed that cyber-crimes such as hacking and data theft represent 5% of the total direct cost of crime to retail businesses costing upwards of £36m. A separate survey from the Department for Culture, Media and Sport found that retailers who hold electronic personal data on their customers are 14% likely to have experienced a cyber security breach than those who do not.

With less than a year to the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, audit, tax and consulting firm RSM is warning that failure to prepare for the changes could see companies facing penalties of up to €20m, or 4% of annual global turnover.

RSM head of retail Andrew Westbrook said: “As more retailers shift to online, the amount of customer data they collect to help drive sales and improve the customer experience will continue to increase. With the new data protection rules coming in next year, now is the time to act and safeguard the business by ensuring that systems are secure and compliant. Failure to do so could lead to significant fines and the loss of customer trust.”

From May 25, 2018, retailers will have to ensure data processes protect the rights of individuals. An organised data protection programme will need to be established, with all activities accurately recorded. This obligation also extends to any third-party contractors or partners working with the business, presenting firms with much greater legal liability in the event of error.