It’s been a year and a half since the game-changing data protection law known as GDPR (General Data Protection Regulation) came into force in the EU.
Since helping organisations become 100% GDPR compliant in a simple and effective manner is one of our core services, we thought it would be interesting to have a retrospective of 2019 in GDPR fines and learn from others’ mistakes.
In 2019 alone, the fines generated under GDPR have reached enormous sums, only the top 10 amounting to £343m and affecting the budgets of both tech giants, such as Google, or smaller organisations. Moreover, since May 2018, European data protection authorities have received more than 90,000 data breach notifications and the number seems to be on the rise.
The Top Three GDPR breaches in 2019
The most significant GDPR fine in 2019 was incurred by British Airways and amounts up to £183m after a group of hackers used card skimming to harvest the personal and payment information of up to 500.000 of the airline’s customer in a two-week period.
The second spot represented by a fine of £100m goes to the American multinational firm Marriott International, after notifying a cyber-security incident to ICO – which resulted in the exposure of 339 million guest records, of which 30 million linked to residents of 31 European countries and 7 million to UK citizens.
Last but not least, tech giant Google incurred a more “modest” fine of £44m, imposed by CNIL (France’s communications watchdog). The fine was issued after CNIL concluded that Google failed to provide its users with enough information about its data consent policies, did not give them enough control over their personal information, and overall lacked in transparency.
These three incidents amount to £327m, which makes up almost 90% of the total sum of the fine levied against the top 10 companies.
But do these enormous fines ultimately lead to better practice and responsibility towards the users?
According to an article published in Threat Post, not necessarily. Matthew Gardiner, Mimecast’s cybersecurity strategist, believes that the issue of security can’t be solved with fines. Moreover, he believes that harsh penalisations only add more costs and complexity to the post-breach management challenge.
His opinion is supported by a 2018 study by CompariTech, which analysed 28 companies that had suffered significant data breaches in order to see how they performed on the market after the incidents. The full study can be read here and it shows that all the companies hit a low point immediately after a data breach. The companies include: Apple, Adobe, Anthem, Community Health Systems, Capital One, Dun & Bradstreet, Facebook, First American Financial, eBay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.
What’s important to keep in mind is that the study cited above only investigated stock performances, which don’t include costs associated with the loss of customers, customer remediation, legal costs and so on.
According to an IBM-sponsored study made by Ponenon Institute, all those additional costs can add up to £122m per record breached!
On the opposite pole, James Carder, CISO and vice president of LogRhythm Lab, believes that these fines will motivate business owners to work out strategies and treat GDPR seriously to ensure that they don’t get hit with these kinds of penalties ever again.
A strong point was made by Colin Bastable, CEO of Lucy Security: “Kill the ‘if it is free, you are the product’ market. Make it illegal to hold consumer data without annually renewing contracts with each consumer. Give consumers personal copyright over their personal data, with rights to sue leakers into oblivion.” He also reminds us that only 3% of data breaches are caused by malicious hackers, the rest being preponderantly human error.
What’s to be done, in this case?
In the light of recent high-profile cases, businesses operating in the EU now have a better understanding of the financial and reputational consequences following the failure to comply with the newly imposed data protection regulations, while consumers gain more and more awareness in what regards their personal information and how it’s used by companies.
The strict data protection rules are likely to sharpen in 2020, along with the value placed on individuals’ data privacy.
It’s crystal clear that GDPR compliance is a key factor in maintaining an ethical practice and avoiding security incidents and penalties – because, in the end, reputation is worth more than money in the long run. The way we handle personal data has changed dramatically and will continue to do so, and this is why organisations should continue to invest in educating and training their employees to understand that data management has broad-sweeping implications for the whole company, not just for the IT division.
If you’re not entirely certain if your company is GDPR compliant on every level of activity, contact us today and let’s get you up-to-date.