Breaking the Law:
This Is How Much a GDPR Breach Can Cost
by Veronika Čáslavská 2020-06-05
It’s just four letters, but not complying with them can get costly. The General Data Protection Regulation (GDPR) has been broadly discussed by the media – yet many companies still fail to handle personal data properly. And it gets expensive.
In May 2018, the General Data Protection Regulation (GDPR) changed how companies in the EU obtain, store and handle customer information.
Among other aspects, the law defines what personal data is and the way users should be informed on how their personal information is processed. Thanks to huge media attention dedicated to the GDPR, the public now has a better understanding of their rights regarding personal data.
“The GDPR has increased awareness among ordinary citizens,” says IT security expert Jaroslav Oster, “so they are now increasingly empowered to file a complaint if their rights are violated. And all authorities in the European Union are very active in controlling the GDPR compliance.”
However, some companies still perceive the GDPR as an obligatory legislative burden, instead of leveraging it as an opportunity to fully implement complex data protection and cybersecurity solutions. Complying with the GDPR does not necessarily save them from data breaches. And if data is stolen, in most cases, companies are obliged to take responsibility and report the incident to authorities – and these authorities can press charges if insufficient measures were employed.
This year’s DLA Piper GDPR Data Breach Survey found that since the GDPR came into force, over 161,000 personal data breaches were reported in the 28 EU member states plus Norway, Iceland and Liechtenstein. According to the GDPR Fines Tracker and Statistics, at the end of March 2020, GDPR fines in the value of 467 million euros had been issued. Who had the biggest share and why?
1. British Airways heads up to the sky
Between June and September 2018, British Airways (BA) suffered a data breach in which the personal and financial data of around 500,000 of its customers was stolen. How? When visiting the airline’s website, users were diverted to a fraudulent website through which the hackers collected the data.
From the perspective of the airline, this was an unintentional incident caused by a third party. Nevertheless, by not protecting the customer data responsibly, BA violated the GDPR. In July 2019, the Information Commissioner’s Office (ICO) fined the company more than 204 million euros, the largest fine issued so far.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Information Commissioner Elizabeth Denham.
2. An expensive stay for Marriott Hotels
A few days later, also in July 2019, another British company faced GDPR fines. However, this fine was also related to a cyberattack. In 2018, Marriott reported to the ICO that “a variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).” The ICO stated that Marriott failed to carry out proper due diligence and secure its systems. The ICO fined the company more than 110 million euros.
3. Google does not stay behind
In January 2019, the French data regulator CNIL fined Google 50 million euros due to “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation,” said CNIL. According to the authorities, Google failed to inform the users about how their data would be used and in which applications. “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” stated the CNIL.
In 2017, Swedish authorities forced Google to remove a number of search results from its search engine. Despite this, in 2018, several results that should have been removed still appeared in the search results. Several other compliance problems appeared – therefore, in 2020, Swedish data protection authority Datainspektionen fined Google 7 million euros.
4. State organisations are not an exception
State institutions also have to comply with the GDPR. According to the GDPR Fines Tracker and Statistics, in May 2019 the Directorate of Social and Child Welfare Institutions of the Ferencvaros District of Budapest had to pay 286 euros to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH). In this case, human factors were at fault. An employee of the Directorate accidentally sent nine letters to an incorrect recipient, and those letters contained personal data of 18 different subjects.
Even a political party in Hungary had to pay a GDPR fine, because it failed to secure its database containing personal data of over 6,000 individuals. An anonymous hacker discovered a weakness, broke into the system and got access to the database. This weakness cost the political party 34,375 euros.
One of the more recent violations comes from the Danish municipality of Hørsholm. A city government employee had his computer stolen, losing not only the device, but also personal data of around 1,600 city employees, including sensitive information about Social Security numbers. In March 2020, the Danish Data Protection Authority fined the municipality 7,000 euros.
5. Small businesses should care too
Small businesses must comply with the GDPR too. Although the fines usually tend to be lower, they may still have a significant impact on the company’s revenue and budget. If SMBs fail to comply with GDPR’s code of practices, they can face fines up to 2% of their annual revenue or 10 million euros, whichever is higher. And if it comes to an actual data leak, the sum doubles. Still, according to the 2019 GDPR Small Business Survey, millions of businesses struggle to implement the regulation and fail to comply with its complexity.
Complying with the GDPR can be tricky. According to the GDPR Fines Tracker and Statistics, the Czech Data Protection Authority imposed a fine of 1,165 euros to an auto rental company for tracking a rental car via GPS without informing the renter. As a result, the company had to pay one thousand euros – and for a small business, that could be a big hit.
Ensuring information security is not only something you should ensure to be trusted by your clients, but also for yourself and your company. “Start addressing security as a technological issue and not exclusively as a bureaucratic burden,” says IT expert Jaroslav Oster, “and pay attention to the training of your employees. It’s them who can put your company at risk.” If customer rights are not guaranteed or if personal data gets stolen, the GDPR doesn’t make exceptions.