One of the biggest changes brought in by the General Data Protection Regulation was the increase in fines for data breaches.
Since its implementation in 2018, the maximum fine has risen from £500,000 under the Data Protection Act 1998 to 20 million euros or 4% of worldwide annual turnover, whichever is the highest.
In the past three years, the UK regulator, the Information Commissioner’s Office, has imposed several large financial penalties for businesses which have breached GDPR’s rules.
They have included:
The case of the airline fine
In October 2020, the ICO fined one UK airline £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection law and the airline was then the subject of a cyber-attack during 2018, which it didn’t detect for more than two months. A third party informed them of the problem.
The personal details accessed included names, addresses, payment card numbers, and CVV numbers.
The case of the malicious code
In November 2020, the UK arm of a worldwide ticketing company was fined £1.25 million by the ICO for failing to protect customers’ payment details.
Malicious code was found in a chatbot on the payment page, scraping personal details.
The incident in May and June 2018 potentially affected 9.4 million customers across Europe, 1.5 million of them in the UK.
More than 60,000 individual card details were compromised in May and June 2018, Barclays Bank and Monzo Bank told the ICO.
The company received approximately 997 complaints alleging financial loss or emotional distress.
Read the penalty notice here.
The case of the costly cyber attack
In October 2020, a major hotel chain was fined £18.4 million for failing to keep millions of customers’ personal data secure.
More than 330 million guest records worldwide, seven million of them in the UK, were affected after a cyber attack on a smaller hotel company in 2014. This went undetected until 2018, after the large hotel chain bought up the smaller company.
The data included names, email addresses, phone numbers, unencrypted passport numbers, arrival and departure information, guests’ VIP status, and loyalty programme membership numbers.
The ICO’s investigation found failures to put appropriate technical or organisational measures in place to protect the personal data on its systems.
Read more here.
The case of the dumped medical details
In December 2019, a London pharmacy was fined £275,000 for failing to ensure the security of special category data.
The business which supplies medicines to customers and care homes left an estimated 500,000 documents in unlocked containers at the back of its premises. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Read more here.
One of the best ways to avoid a fine and keep on top of your legal obligations is understand your data and then to use compliance software like Mango to help you manage it effectively. To find out more about how you could make use of Mango in your organisation, book a free demonstration which will be delivered via Zoom.