Firms which breach data protection rules are getting off lightly and could soon face multimillion pound fines, according to a Norfolk cyber security expert.

It follows the ruling against Keurboom Communications, which was fined a record £400,000 by the Information Commissioner's Office (ICO) after making almost 100 million nuisance calls.

More than 1,000 people complained about the Bedfordshire-based company, which made unsolicited calls relating to road accident and insurance policy compensation.

The same fine was levied against telecoms firm TalkTalk after its huge data breach in October 2015.

But David Higgins, founder of Norfolk-based digital security company 4ITSec, says that figure could have been more than 30 times higher under new data protection legislation.

General Data Protection Regulation (GDPR), due to come into effect in May 2018 to replace the Data Protection Act, will give the ICO the power to hand down fines of up to 20m Euros (£16.8m), compared to the current £500,000 maximum.

Mr Higgins said: 'The new GDPR laws are aimed at protecting 'personally identifiable information' in a much more rigorous manner – especially over the 'right of consent' which must be explicitly given by the individual to have their data held for specific purposes.'

He added that the ICO is expected to enforce the new GDPR in a 'thorough manner'.

Keurboom has since been placed in liquidation, which the ICO says will make recovering the fine more difficult.

But Mr Higgins claimed liquidation was a 'typical ploy' by firms caught by the ICO under current privacy and electronic communications regulations to avoid paying fines.

MORE: Cyber security expert's top tips to keep you and your business safe