In recent weeks, two multi-nationals have felt the might of the General Data Protection Regulation (GDPR), as regulators across Europe show they mean business when it comes to imposing large fines and taking tough enforcement action.
British Airways was hit with the largest fine yet levied under GDPR, which came into force in May 2018. The Information Commissioner’s Office has imposed a fine of £183 million – the equivalent of 1.5% of the airline’s turnover in 2017. The airline has admitted that data was stolen by hackers last August from its website and mobile app. Just a day later, US-owned hotel chain Marriott group was hit with a fine of £99.2 million because hackers had stolen the records of 339 million guests. This was linked to not carrying out sufficient due diligence on the Starwood hotel chain’s database, which it purchased in 2016. Both British Airways and Marriott have said they will appeal, but there is no disputing that breaches did occur, and it seems unlikely the regulator will back down.
GDPR has also prompted a rise in notifications, with many businesses clearly anxious about what penalties they could face for not doing so. This appears to be a particular issue in the UK and research from law firm Pinsent Masons found the ICO has received an average of 1,276 notifications per month, whereas figures from France, Italy and Spain were 307, 170 and 94 respectively.
A significant rise
The rules state that firms must report breaches of personal data no later than 72 hours after becoming aware of it and when there is a high risk of damage, then those affected should be informed directly. Meanwhile, a separate report from the ICO showed it had received some 14,000 data breach notifications in the year since GDPR had been implemented (25 May 2018 to 1 May 2019), whereas in the previous year to 31 March 2018, only 3,300 reports were made - the regulation has prompted an almost five-fold increase.
GDPR is changing attitudes to data breaches, which should result in higher levels of security. Anecdotally, it is said that that those offering encryption software are seeing a boom in business as more firms seek to beef up their security. However, it should be noted that many of the notifications are for minor breaches – indeed, the ICO said that over 82% of the notifications since GDPR came into effect required no action.
GDPR is not just having an impact in the UK, even if the ICO is particularly prominent – in the first nine months of the regulation being in force, data protection regulators in 11 countries had levied fines totalling €56m, although this was primarily taken up by the €50m imposed on Google in January by French data protection agency CNIL.
Other fines have included the €220,000 issued to a digital marketing company, Bisnode, by the Polish Personal Data Protection Office. It was said that data subjects were not made aware of their privacy rights – even though there was a statement on the company’s website - and so could not object to further processing of their data or ask for amendments or for it to be deleted. Meanwhile, a small fine doled out by the Belgian Data Protection Authority of just €2,000 shows that even individuals should be mindful of their responsibilities if they are using information. In this case, a mayor collected email
addresses to send out election campaign materials but failed to comply with regulation.
Although there are arguments that GDPR is a negative force and is stifling innovation, proponents argue that the regulation is not only needed, but will also drive up standards globally. Indeed, there are reports that countries including the United Arab Emirates, Kenya and perhaps surprisingly, China are all planning to pass new data protection laws.
As more high-profile companies come under the GDPR cosh, awareness about responsibilities will expand. While effective technology has an important role to play, there are also cultural matters when it comes to handling data well – for some it may be a steep learning curve, but we can also expect to see more compliance and better security across the board.
With data protection becoming increasingly important in this day and age, we outline 6 key risk management metrics that can be utilised to help control cyber security in our white paper.