GDPR has now been in effect for over a year, and since then, regulators enforcing its regulations for data portability, security, and privacy have begun flexing their muscles – and handing out whopper fines left and right.
Regulators in the US, the UK, and further afield in the EU are all taking GDPR seriously, and you should be, too. Why? Because if you aren’t taking it seriously and don’t have the proper GDPR training, your company could face a fine – just like the companies we’re going to be looking at in this article. Let’s take a look at some of the biggest fines – and near misses – that have happened since GDPR took effect on May 25, 2018.
The Information Commission Office of the UK has announced that it’s looking to slap British Airways with an absolutely massive fine of £183.39 million (US $229.34 million). This fine would be a record for the ICO under new GDPR regulations, as the largest one ever levied against a non-complying company.
This fine comes after an extremely serious security breach, though. In September 2018, it was found that hackers managed to divert official British Airways web traffic to a fake website, where they were able to steal detailed personal data from an estimated 500,000 customers. This information included:
Because BA failed to recognize this issue all summer, and only realized in September, regulators are arguing that they failed in their duty to protect their customer’s information. And for that, they will be paying an astonishingly high penalty, if the ICO gets its way and this fine of nearly $230 million USD is leveled against British Airways.
Not only is British Airways getting hit with a huge fine, but the American-based multinational conglomerate Marriott is also being targeted with an enormous fine for exposing the data of millions of its customers.
The ICO intends to fine Marriott around $123 million USD for a data breach that exposed the data of more than 339 million customers from around the world. In 2014, hackers gained unauthorized access to the Starwood guest reservation database, and were able to siphon off personal information for years. The breach was only discovered – and reported to the ICO – in November of 2018.
Another interesting wrinkle to this story is that Marriot did not actually own Starwood when the breach started in 2014 – the hotel group was still independent when the breach started. However, Marriott merged with Starwood in 2016, making this data breach their problem.
Not every data breach is as serious as the two listed above, but no country or organization is immune to the new, stringent data laws of GDPR. In Romania, for example, the first fine under GDPR was leveled recently at Unicredit Bank, after the National Supervisory Authority found that it failed to implement GDPR-compliant measures to protect the personal data of customers.
Documents with personal details like information related to payments, personal identification numbers, addresses and other information were visible, and about 337,042 people were targeted between May and December 2018.
Recently, the top-flight Spanish football league (soccer, for us Americans!), La Liga, was fined more than $280,000 for a “spy mode” was discovered in its official mobile app, and it was found to be violating its user’s privacy.
La Liga gained unauthorized access to its user’s microphone and GPS coordinates, in an attempt to identify their surroundings – and identify when bars were unofficially streaming games without paying for costly broadcasting rights.
The AEPD, the Spanish data regulation authority, found that this violated Article 5.1 of the GDPR – which requires the lawful, fair, and transparent processing of personal data. It also violated Article 7.3, as it did not gather proper consent from customers, and this function was not reported in the app’s description. La Liga will have to cough up $280K, and remove the functionality from their app or correct its violations.
Need proof that GDPR adherence is important – and that even a single, innocent mistake can cost you big? Look no further than the Municipality of Bergen, Sweden. Though this is not the biggest GDPR fine, it’s one of the largest on a per-record basis – because the municipality was fined more than $190,000 for just one misplaced file.
A student in the public school system found a file in a public storage area with the login credentials of more than 35,000 students and school employees. The school district was found to be violating Articles 5(1)f and 32 of GDPR, and issued a fine in excess of $190K USD.
This fine was not issued under GDPR regulations, but was carried out under the Data Protection Act 1998, the penalty was leveled against Equifax in late September 2019. $625,000 was the maximum possible penalty under these regulations.
We’ve put this penalty on this list to illustrate an important point. Equifax received this fine for a data breach which affected 15 million UK citizens and 146 million global customers during a cyber-attack in the summer of 2017.
Because GDPR regulations had not taken effect, Equifax narrowly avoided a gigantic penalty. While Data Protection Act 1998 fines top out at £500,000, GDPR has no such limits. If this breach had taken place after GDPR went into effect, Equifax could easily be facing a multi-million dollar fine – like British Airways and Marriott. So they got lucky this time – but if a similar event happens under GDPR, they’re not going to get away with just a slap on the wrist.
As time goes on, GDPR penalties are only going to get steeper. If you are a business operating in any EU member country, you need to make sure that you are taking the proper steps to comply with GDPR.
While the penalties and fines are smaller for small-to-midsize businesses, a large GDPR fine could still have an enormous impact on your bottom line – and with proper preparation and training, these fines can be avoided.
So if you have not yet implemented GDPR training at your company, and have not taken steps towards proper GDPR compliance, you need to do so right away. Regulators in the US, UK and EU are taking GDPR seriously – and unless you want to be hit with a stiff penalty, you need to do the same.