<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Login
    Get started

    Since the new General Data Protection Regulation (GDPR) came into effect on 25 May 2018, the focus on data is bigger than ever, and the price for companies who fail to protect their data has never been more costly.

    We take a look at the biggest fines issued both before and after GDPR.

    2018 was a busy year for the ICO...

    The Information Commissioner’s Office (ICO) issued the most - and largest - fines ever in 2018, including:

    • 11 fines totalling £1,290,000 to organisations for serious security failures
    • 11 fines totalling £138,000 to UK charities for unlawfully processing personal data in the 12 months to March 2018

    The maximum penalty in 2018 was £500,000, issued to both Facebook and Equifax, a consumer credit reporting agency.

    Facebook was slapped with the £500,000 fine for its role in the well-documented Cambridge Analytica scandal. The information of 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.

    Facebook was found guilty of allowing application developers access to user information without sufficient consent, failing to make suitable checks to secure personal information, and not taking action once the misuse of data was discovered.

    Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber attack. Hackers stole personal data including names, dates of birth, addresses, passwords, driving licences and financial details. The company had retained data for longer than necessary, making it vulnerable to unauthorised access.

    The systems compromised were actually based in the US, but because the UK branch failed to ensure its American parent was protecting UK customers, the ICO was forced to issue the fine.

    But all this was before GDPR came into effect...

    The fines issued to both Facebook and Equifax were imposed under the Data Protection Act (DPA), where £500,000 was the maximum penalty. Had their failings been discovered and investigated now, they would have faced significantly higher fines.

    Under GDPR, companies can now expect fines of up to:

    • €10,000,000 (£8.8 million) or 2% of total global annual turnover (whichever is higher) for lesser data breach incidents.
    • €20,000,000 (£17.6 million) or 4% of total global annual turnover (whichever is higher) for significant data breaches.

    The biggest fines under GDPR

    In January this year, Google were fined a staggering 50 million, the largest and most high-profile fine for GDPR violations.

    The fine was issued by the Commission nationale de l'informatique et des libertés (CNIL), France's data protection supervisory authority, for lack of transparency, inadequate information, and lack of valid consent regarding ads personalisation. We covered the story in detail in our January edition of Compliance News, where we examined the exact rules that Google broke.

    A hospital in Portugal has also received a fairly hefty fine of €400,000 for GDPR violations. The Centro Hospitalar Barreiro Montijo was found to have committed three major violations:

    • A minimisation principle, by allowing indiscriminate access to an excessive number of users
    • A violation of integrity and confidentiality as a result of non-application of technical and organisational measures to prevent unlawful access to personal data
    • Failing to ensure the continued confidentiality, integrity, availability, and resilience of treatment systems and services as well as the non-implementation of the technical and organisational measures to ensure a level of security adequate to the risk.

    Elsewhere in Europe, a German company was fined €20,000 after the personal data of 330,000 users of its chat platform was compromised and then made publicly available by hackers in September 2018. In Austria, one company received a fairly moderate €4,800 fine for installing a CCTV camera in front of their building but which also recorded images from a large part of the pavement. Large-scale monitoring of public spaces is not permitted under GDPR.

    And in the UK, the ICO has issued a notice to a Canadian data analytics company, AggregateIQ Data Services Ltd, to stop using EU citizens’ personal data for analytics.

    As it’s not yet been a year since the new regulation came into effect, we’ve yet to see many fines issued. However, reports show that data breach complaints have increased by 160% since GDPR came into force. This increase is worrying news for businesses, considering the scale of the fines they could be handed, and it shows just how critical it is that companies ensure their staff are trained in everything they need to know about GDPR.

    Looking back at what could have been

    Yahoo currently wears the crown for the biggest data breach of the 21st century. In September 2016, the internet giant revealed that its 2014 data breach had compromised the personal data of 500 million users. Later that year, another breach from 2013 came to light that had compromised 1 billion accounts. That’s one for every seven or eight people on the planet!

    But the full extent of the multiple breaches was not acknowledged until October 2017, when Yahoo's new owner Verizon discovered it was not 1 billion accounts that had been compromised in 2013, but 3 billion accounts! That’s every single account under the Yahoo name, including Flickr and Tumblr.

    The breaches knocked a huge chunk off Yahoo’s sale price - to the tune of $350 million. Having once been valued at $100 billion, Verizon paid just $4.48 billion for the core internet business. In October last year, Yahoo agreed to pay $50 million in damages - of which half will be paid by Verizon and the other by Altaba, Inc. (Yahoo changed its name to Altaba after the sale of its core business).

    But, what would have happened if this breach had taken place post-GDPR?

    Of course, the scope of the breach was significant. But, what would have been crucial today, was that Yahoo didn’t disclose the extent of the breach within 72 hours like the GDPR requires. And with revenue in excess of $4 billion for the year 2012/2013, Yahoo would have faced an $80 million fine, or potentially as much as $160 million!

    The huge jump in maximum fines for data breaches in the UK, from £500,000 to £8.8 million or even £17.6 million, show the significant lengths regulators are taking to protect people’s personal data and privacy.

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    GDPR-compliance-training

    Leave a comment

    Tick

    Free Trial: Compliance Essentials

    Skillcast Essentials is our best-selling library and there's a reason for that. It provides 30 in-depth courses covering the key compliance / conduct issues that companies in the UK face today.

    Request now

    The Risk Perception and Employee Misconduct Gap

    A recent Skillcast survey has highlighted the significant gap between the incidence of misconduct observed by employees at UK firms, and the risk perception of decision makers.  Key finding From our ...

    Read More
    UK Corporate Compliance Survey

    Why did Skillcast conduct a survey? Skillcast is the leading provider of corporate compliance e-learning and tools to companies in the UK, ranging from FTSE100 giants to small and mid-sized ...

    Read More
    Meet Skillcast at Learning Live 2019

    About Learning Live 2019 Learning Live brings together over 500 learning leaders for two days of facilitated group activities and networking tackling the challenges of workplace learning. Uniquely, ...

    Read More
    Success Stories: Royal Mail Serious Games

    Royal Mail, the pre-eminent delivery company in the UK were looking to further embed compliance within their business. Skillcast Serious Games was their ideal solution. Solution An online compliance ...

    Read More