The maximum fines for data breaches have significantly increased since GDPR was introduced. Under the Data Protection Act (DPA), £500,000 used to be the maximum penalty.
Post-GDPR, now companies can expect signifcantly higher fines of up to:
- €10,000,000 (£8.8 million) or 2% of total global annual turnover (whichever is higher) for lesser data breach incidents.
- €20,000,000 (£17.6 million) or 4% of total global annual turnover (whichever is higher) for significant data breaches.
Following the introduction of GDPR in 2018, initial reports showed that data breach complaints increased by 160% . This increase is worrying news for businesses, considering the scale of the fines they could be handed, and it shows just how critical it is that companies ensure their staff receive comprehensive GDPR training.
Top 5 highest GDPR fines ever imposed...
1. British Airways - GDPR article 32 breach - £183m fine pending
British Airways is now facing the mother of all fines as the result of a cyberattack which is believed to have started in June 2018.
Traffic on the British Airways website was redirected to a fraudulent website, where hackers were then able to harvest personal data.
The customer details of around 500,000 users were found to have been compromised by the attack, and it wasn’t until September of the same year that the ICO were made aware of it. Investigators found that British Airways was to blame due to poor security arrangements.
2. Marriott - GDPR article 32 breaches – £99m fine pending
Marriott International faces a staggering £99 million fine for a personal data breach affecting 339m people of which 30m reside within the European Economic Area (EEA).
The breach is believed to have taken place in 2014 after the Starwood hotels group had their systems compromised. Despite Starwood being acquired by Marriott in 2016, the breach remained undiscovered until 2018.
The ICO judged that Marriott had not carried out proper due diligence when acquiring Starwood and should have taken further steps to keep its systems secure.
3. Google Inc - GDPR article 4/5/6/13/14 breaches - fined €50m
In what was one of the most high-profile cases of the year, the French data regulator (CNIL) fined Google an astounding €50 million (around £43 million).
The fine was for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Ad personalisation information was diluted throughout several different documents, hindering users from being made aware of their full extent.
Additionally, the choice to receive personalised ads was “pre-ticked” upon opening a new account, which is in direct defiance of the GDPR.
4. TIM - GDPR article 5, 6, 7, 17, 21 & 32 breaches - fined €27.8m
Italian data protection regulator Garante fined telecoms provider TIM €27.8 million for its cavalier approach to telemarketing and other GDPR breaches.
First, it sent out hundreds of thousands of unsolicited communications without the consent of data subjects who were on with the "opt out" register or were exercising their right not to receive marketing. In one case, it contacted a single individual 155 times over the course of a month!
Second, the privacy notices for TIM apps and promotions were not transparent and it was unclear about the purpose for which data would be used. Consent was also incorrectly managed and often invalid - with one single consent being used for multiple purposes.
Data retention was also excessive - sometimes exceeding the 10-year time frame required by law and the five-year company policy.
In addition, there were flaws in its data breach procedures. TIM filed multiple breaches with the DPA but had failed to do so within the 72-hour deadline. In short, its systems and procedures failed to meet the "privacy by design" principle.
5. Austrian Post – GDPR article 5.1.a/6 breaches - fined €18m
Even national postal carriers aren’t exempt from the repercussions of breaching the GDPR. After an investigation, the Austrian Data Protection Authority (DSB) discovered that Austrian Post had drafted profiles of over three million Austrian nationals. As a result they were fined €18 million or around £16 million.
These profiles included personal information such as habits, personal preferences, residential addresses, and even possible political affinities. The data gathered was then sold to interested parties, such as private companies and political parties.
DSB ruled that Austrian Post had insufficient legal basis for processing this kind of data. The fine was so high because they were financially profiting from this behaviour.
Infamous pre-GDPR data breaches
Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!
But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.
The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages - of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).
But, what would have happened if this breach had taken place post-GDPR?
Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours like the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!
Facebook was slapped with the £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.
Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.
Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.
The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.
Want to learn more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs including a regularly updated GDPR fines tracker for 2020.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!