The Biggest GDPR Fines for Breaches in 2020
Breaching the GDPR can cost you up to €20 m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them!
Since coming into effect in 2018, the General Data Protection Regulation (GDPR) has completely transformed how companies deal with their clients’ personal data. It brought about reforms which are tailor-made for the world of today and promised to come down hard on any companies which failed to respect them.
While most companies have cleaned up their act when it comes to data protection, there are plenty who still fall foul of the law and are being investigated and fined accordingly.
Our recent blog recounted the worst GDPR fines of 2019, to keep up with what happens in 2020, make sure to bookmark this blog!
Countdown of the biggest GDPR fines in 2020
- Currys PC World and Dixon's Travel fined £500k for historic breach
Only a couple of weeks into 2019 and the Information Commissioner's Office (ICO) is already demonstrating its resolution to tackle data breaches. Whilst not a GDPR fine - a bullet dodged for sure - we still feel it is worthy of including in the list.
The ICO handed out a $500k fine to DSG Retail Limited - better known as Currys PC World and Dixon's Travel (the maximum possible) for an historic data breach dating back to 2018.
The ICO investigation found:
- Point-of-sale systems were compromised and malware was installed on 5,390 tills at its stores between July 2017 and April 2018 leading to customers' personal data being harvested.
- The company had failed to secure its systems granting unauthorised access to 5.6 million payment card details of transactions and the personal information (including contact details and failed credit checks) of 14 million people.
- Its security arrangements were poor and the company had failed to adequately protect personal data - with inadequate software patching, no local firewall, a lack of network segregation and routine security testing. The ICO said the breach would significantly affect people's privacy, making them vulnerable to financial theft and identity fraud.
"Our investigation found systemic failures in the way DSG Retail Limited safeguarded personal data. It is very concerning that these failures related to basic, commonplace security measures, showing a complete disregard for the customers whose personal information was stolen. The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR."
It's not the first time the company's had security issues. Another part of the same company, Carphone Warehouse was fined £400k for similar vulnerabilities back in January 2018.
As one of the main high-street retailers of PC solutions and security, consumers will be left wondering why Currys PC World isn't practising what it preaches.
- Don't be complacent about security - countless cases - from BA's bumper fine to this one - show we cannot simply blame hackers for any data breaches. The ICO isn't buying it. We must be able to demonstrate that we have appropriate technical and organisational measures and process data securely. DSG Retail was fined for security lapses and poor governance, not for the cyberattack itself.
- Don't underestimate the impact of data breaches on individuals - the fine is relatively modest compared to the harm (including financial loss and identity theft), distress and damage to customer trust as a result of this data breach. It would have been a lot bigger under the GDPR. No question.
- Do the maths - the ICO investigation found that the retailer failed to carry out routine security testing and there was inadequate software patching. If cost-cutting was a factor in this, no doubt it is regretting that decision now.
- Learn the lessons from past mistakes - non-compliance begets more non-compliance. If fines are issued to one part of the business, then you better start checking what's happening elsewhere in other divisions too. It's the compliance equivalent of whack-a-mole where non-compliance in one place leads to other issues popping up elsewhere.
Want to know more about GDPR?
If you've any further questions or concerns about GDPR, please leave us a comment below this blog. We are happy to help!