Since the GDPR was introduced in May 2018, the EU’s supervisory authorities have issued over €370 million in fines, although some of these fines are still pending. British Airways has been issued a record fine amounting to £183m (approximately 1.5% of global annual turnover) in relation to a data breach that was first disclosed on 6 September 2018. The breach resulted in the exposure of approximately 500,000 customer records, which hackers were able to gain access to. Likewise, Marriott International received a fine of $123 million (approximately 3% of global annual turnover) by the ICO in relation to a breach that exposed up to 383 million customer records. We can see from this that regulators are more than willing to use their power to impose fines, and a failure to comply with the GDPR can have serious consequences for those involved. OK. So, what else have we learned from these fines?
1. Given that data subjects can report incidents to the DPA, security isn’t optional
This is especially true for larger companies such as Google, who was fined £44 million for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”. The complaints were filed in May 2018 by privacy rights groups, who claimed that “Google did not have a valid legal basis to process user data for ad personalization, as mandated by the GDPR”.
2. Privacy violations are taken far more seriously than other security violations
Article 83 of the GDPR states that a violation of privacy requirements can lead to fines of up to 4% of annual turnover, whereas a violation of the core security requirements can lead to fines of up to 2% of annual turnover. One of the reasons why the Google fine was so high was because they were failing to allow customers to easily access, edit and delete their personal data. In other words, they were failing to carry out data subject access requests (DSARs) and failing to respect the subject’s “right to erasure”.
3. If you repeatedly ignore the warnings, the fines will go up
Naturally, if an organization fails to improve its security posture after it has been subject to a data breach, the GDPR regulators can, and will, increase the fines accordingly. One example was The Rousseau platform, who received the first GDPR fine issued by the Italian DPA. After suffering a breach during summer 2017, the platform was issued a warning asking them for improved security measures. However, after a follow-up review two years later, the regulators identified a large number of security flaws such as out-dated software, weak password protocols, and inadequate monitoring of sensitive data. As a consequence, The Rousseau platform was issued a €50,000 fine.
4. If the big players are failing to comply, it’s likely that SMEs are failing too
If the likes of Google, BA and Marriott International are struggling to comply with the GDPR, we can assume that small businesses are also struggling to keep up. According to the 2019 GDPR Small Business Survey, around half of respondents were not completely sure if they were providing data subjects with a clear and concise explanation about how they were processing their data, or whether they were able to identify a lawful basis for using someone’s data. Additionally, many were confused about basic data security concepts, such as encryption.
If you want greater piece of mind that a GDPR compliance fine isn’t heading your way, it’s worth getting yourself a Data Security Platform to help you secure your GDPR-related data. Check out how LepideAuditor can help you meet GDPR compliance.