<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Find courses

    The Biggest GDPR Fines for Breaches in 2020

    Published on 27 Jan 2020 by Lynne Callister

    Breaching the GDPR can cost you up to €20 m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them!

    Since coming into effect in 2018, the General Data Protection Regulation (GDPR) has completely transformed how companies deal with their clients’ personal data. It brought about reforms which are tailor-made for the world of today and promised to come down hard on any companies which failed to respect them.

    While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly.

    Our recent blog recounted the worst GDPR fines of 2019, to keep up with what happens in 2020, make sure to bookmark this blog!

    Countdown of the biggest GDPR fines in 2020 

    1. Currys PC World and Dixon's Travel fined £500k for historic breach

    Only a couple of weeks into 2019 and the Information Commissioner's Office (ICO) is already demonstrating its resolution to tackle data breaches. Whilst not a GDPR fine - a bullet dodged for sure - we still feel it is worthy of including in the list.

    The ICO handed out a $500k fine to DSG Retail Limited - better known as Currys PC World and Dixon's Travel (the maximum possible) for an historic data breach dating back to 2018.

    The ICO investigation found:

    • Point-of-sale systems were compromised and malware was installed on 5,390 tills at its stores between July 2017 and April 2018 leading to customers' personal data being harvested.
    • The company had failed to secure its systems granting unauthorised access to 5.6 million payment card details of transactions and the personal information (including contact details and failed credit checks) of 14 million people.
    • Its security arrangements were poor and the company had failed to adequately protect personal data - with inadequate software patching, no local firewall, a lack of network segregation and routine security testing. The ICO said the breach would significantly affect people's privacy, making them vulnerable to financial theft and identity fraud.

    "Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."

    Head of Investigations, ICO

    It's not the first time the company's had security issues. Another part of the same company, Carphone Warehouse was fined £400k for similar vulnerabilities back in January 2018.

    As one of the main high-street retailers of PC solutions and security, consumers will be left wondering why Currys PC World isn't practising what it preaches. 

    6 Tips for Personal Data Compliance

    Key takeaways

    • Don't be complacent about security - countless cases - from BA's bumper fine to this one - show we cannot simply blame hackers for any data breaches. The ICO isn't buying it. We must be able to demonstrate that we have appropriate technical and organisational measures and process data securely. DSG Retail was fined for security lapses and poor governance, not for the cyberattack itself.
    • Don't underestimate the impact of data breaches on individuals - the fine is relatively modest compared to the harm (including financial loss and identity theft), distress and damage to customer trust as a result of this data breach. It would have been a lot bigger under the GDPR. No question.
    • Do the maths - the ICO investigation found that the retailer failed to carry out routine security testing and there was inadequate software patching. If cost-cutting was a factor in this, no doubt it is regretting that decision now.
    • Learn the lessons from past mistakes - non-compliance begets more non-compliance. If fines are issued to one part of the business, then you better start checking what's happening elsewhere in other divisions too. It's the compliance equivalent of whack-a-mole where non-compliance in one place leads to other issues popping up elsewhere.

    Free GDPR Self Assessment Questionnaire

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, please leave us a comment below this blog. We are happy to help!

    Leave a comment


    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Request now

    8 Tips for GDPR Compliance When Sharing Data

    Before you transfer personal data to other organisations, especially outside the EEA, you need to stop and think about the GDPR implications. The sharing of personal data by businesses and ...

    Read More
    Key UK Competition Law Fines

    Many businesses try to profit from gaining an unfair competitive advantage. Here are eight costly examples of what happens when you breach UK competition law.  The consequences of breaking UK ...

    Read More
    The 12 Most Notorious UK Discrimination Cases

    Discrimination takes many forms, from gender or age to well-intentioned or just downright malicious. Here we examine some of the most serious and high profile cases in the UK. However, no matter what ...

    Read More
    Biggest GDPR Fines of 2020

    Breaching the GDPR can cost you up to €20 m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them! Since ...

    Read More