GDPR & Data Breaches 6 Months On.
The value of the average data breach fine issued by the Information Commissioner’s Office (ICO) in the UK has doubled in one year, reaching £ 146,000, according to the City Law firm, RPC.
The total value of fines imposed by the ICO has risen by 24% compared to 2017, reaching just under £ 5m at the end of September.
Credit reporting agency, Equifax was issued the maximum £ 500k last month, for failing to protect the data of 15million people when their data was stolen in a cyber attack in 2017.
According to Richard Breavington, a partner at RPC, ‘A doubling in the average size of fine should serve as a wake-up call to business. However, political pressure is mounting.’
The ICO issued its first enforcement notice under the new rules in September. They fined AggregateIQ, who allegedly used the data of 87m Facebook users to sway voters during the 2016 EU referendum.
Facebook have also just been fined £ 500K for failing to protect users’ information and lack of transparency about how this data was being used. Companies need to understand the new rules and ensure all their staff is aware, and ensure there is full compliance. As this activity was prior to the new European GDPR ruling, the fine isn’t included in the figures above and was capped at the maximum of £ 500K. However, should such a serious data breach occur today, their maximum fine would be 4% of global turnover – which could be as much as $ 1.9billiion.
Also, Heathrow Airport saw a fine of a mere £ 120K for a ‘serious’ data breach, for failing to secure ‘sensitive personal data’ when an employee lost a memory stick that was not encrypted or password protected (only 2% of staff had been trained in data protection and there was widespread practice of staff downloading sensitive data onto memory sticks, which contravened the company policy as well as GDPR rules). Had Heathrow been penalised under the new rules, it could have seen a penalty of £ 17million or 4% of turnover.
Now BA has an open case by the ICO for the recent data breach from its website and since this is post May, legal experts are questioning whether the new data laws could now see BA receive fines of up to £500 million if they are found to be in breach of the new rules.
Not only from the Data Watchdog, the ICO, but also fines are coming from elsewhere. Morrisons has just lost its appeal against a High Court ruling that it is legally liable for a former employee leaking personal information about 100,000 staff members and it may now face compensation bills running into millions. This result will sound alarm bells to other businesses and have huge ramifications for others in the future. Companies need to take responsibility for their data; it’s about protecting people as much as their data.
It is becoming increasingly clear that we need to create a strong culture of responsibility.
A recent Versasec survey examining the impact of GDPR 6 months on, shows that the privacy regulation cost more to implement than was anticipated. However other non-Eu companies are also beginning to adopt similar regulations in anticipation of new rules in their own territories as 30% believe that more stringent privacy rules are likely worldwide.
The biggest concern of those surveyed was to ensure all employees comply with the rules. Their fears are more down to the fines they could face due to GDPR & data breaches, than losing revenue or customers.
59% of respondents admitted their company was still not fully compliant on May 25; their challenges centred around educating employees and having enough resources to implement the new regulation.
Data is important and the fines and ramifications for businesses are huge. From the directors down, all staff need to be aware of the importance of data and cyber security, from passwords, to encryption, downloading, to memory sticks. Training staff in an engaging and motivating way will go a long way to ensuring processes and policies are followed and systems are protected.
The repercussions can be devastating, whether financially, legally, personally, your reputation or much worse…