The first year of GDPR cost businesses over €359 million in fines
This summer marked one year since the General Data Protection Regulation (GDPR) came into effect. While there was some confusion leading up to GDPR, everything is undoubtedly much clearer now.
12 Months, 12 fines, and 12 lessons learned
Over the last 12 months, we saw some companies make the headlines for some transgressions. But before we get ahead of ourselves, let's define it.
What is GDPR?
GDPR is a set of rules and regulations designed to give citizens of the European Union (EU) more control over their personal data. The aim here was to simplify the whole regulatory environment for companies so that both businesses and citizens can fully benefit from the digital economy.
These reforms were specifically designed to reflect our modern connected world where data is generated from multiple sources, every second of the day.
These regulations address everything related to personal data, privacy and consent, and how this information is managed, stored, and protected.
Under the terms of GDPR, companies have to ensure that personal data is collected legally and under strict conditions. It’s also the responsibility of organizations to protect this information from being exploited or misused.
Whenever businesses fail to fulfill their responsibilities, they will face penalties. Here's a quick recap of these regulatory violations and the lessons we can learn from them.
12 Hefty fines that grabbed the headlines
GDPR has a two-tier system for penalties:
Maximum 2% of global revenue for security violations
Maximum 4% of global revenue for privacy violations
1. An unnamed small business in Austria - €4,800
A small local business was fined €4,800 as their CCTV camera captured too much public space.
2. Knuddels - €20,000
The German chat site, Knuddels.de, was fined €20,000 for storing passwords in plain text. The fine was relatively small as the company disclosed and resolved the issue promptly.
3. Central Hospital of Barreiro Montijo - €400,000
The Portuguese hospital was fined €400,000 for allowing staff to use bogus accounts to access to sensitive patient data.
4. Google - €50,000,000
French authorities fined Google €50 million for collecting personal user data without consent or providing adequate transparency.
5. Taxa35 - 1.2 million DKK
The Danish taxi company was fined over €160,000 for storing over 9 million unused contact information.
6. An unnamed firm in Poland - GDPR fine - €220,000
An unnamed firm was fined €220,000 for scraping the internet for public contacts. This information was used in commercial outreach exercises involving 90,000 people (12,000 of whom explicitly objected to the unauthorized use of their data).
7. MisterTango - €61,500
MisterTango in Lithuania was fined €61,500 for accidentally exposing the personal user data, including payment details over two days.
8. La Liga - €250,000
The Spanish football league, La Liga was fined €250,000 for using their mobile app to illegally turn on user microphones.
This was done in an effort to listen in to background match sounds from potentially pirated streams using geolocation. This data was then used to sue 600 bars for illegal broadcasts of football matches.
9. Sergic- €400,000
The French company, Sergic, was fined €400,000 because of lack of user authentication controls on their website.
Users were able to easily access sensitive data by changing the URL. This vulnerability exposed national ID cards, tax notices, and other confidential documents.
10. British Airways - £183 million
The United Kingdom’s national airline, British Airways was fined £183 million for a data breach that exposed half a million customer records. The website was compromised because of weak security protocols. It’s still the largest fine to date!
11. Haga Hospital - €460,000
The Haga Hospital in the Netherlands was fined €460,000 for lack of access controls over patient records. This only happened after 197 employees accessed a Dutch celebrity’s highly sensitive medical records.
12. Marriott – £99,000,000
The Marriott was fined £99,000,000 after the acquisition of its competitor, Starwood. The data breach was directly related to Starwood’s central reservation database, which exposed 5 million unencrypted passwords and 8 million credit card records over four years (from 2014 to 2018).
GDPR fines add up to more than €359 million
This translates into three major security incidents in 2018 which resulted in GDPR fines totaling €424,800. In 2019, there were nine security events which led to GDPR fines totaling €358,780,500. So that's a grand total of €359,205,300 in fines.
12 Lessons learned
As you can see, GDPR fines ranged for a few thousand euros to millions of euros. The severity of the punishment was directly attributed to the severity of the violation. So if your company is actively taking steps to ensure compliance, the fine won’t be as harsh.
1. Blatant violations will receive the harshest penalties (ex: Google).
2. Encryption can protect your sensitive customer data in the event of a breach (ex: Marriott).
3. EU citizens know their rights and are highly likely to report violations. Businesses that choose to claim ignorance are guaranteed to receive hefty fines.
4. Establish a GDPR-compliant data privacy program. This approach will be critical to avoiding huge fines.
5. Disclose a breach ASAP. Inform your customers and relevant authorities within 72-hours. Timely action will also reduce the risk of exposing sensitive data and help reduce the fine (ex: Knuddels)
6. Remediate compliance issues or security incidents immediately. In the long run, this approach will help retain brand value.
7. A security audit can help identify unknown vulnerabilities.
8. Engage in white hat hacking or penetration testing. This exercise will help identify and plug holes in your enterprise technology infrastructure.
9. Deploy real-time monitoring protocols. When you monitor activity in real-time, you have a better chance of responding to a cyberattack, effectively.
10. Make staff security training a part of your corporate culture. Humans continue to be the weakest link. Regular training workshops can help mitigate your exposure to risk.
11. Follow cloud security practices.
12. Don’t be afraid to reach out to security (experts whenever you need help!).
To learn more about GDPR and how you can avoid potential compliance issues, schedule a commitment-free consultation.