Notable Fines from the GDPR

May 16, 2019, MOQdigital Marketing

News, Business Insights, Cyber Security

Copy of MOQdigital Jan - Mar II (42)Data breaches and cyber security have become major news in the past few months, and it is a trend that won’t change. With new legislation with the NDB and the GDPR, businesses are under more pressure to be compliant and responsible in a digital age – or suffer the consequences.The GDPR, known as the General Data Protection Regulation, is the primary law that regulates how companies protect the data of EU citizens. It is also one of the most significant changes to data protection that we have seen in over two decades. It came into effect in the first half of 2018 and has since affected multiple businesses all over the world.

Understanding the Fines

Infringement of the GDPR can result in fines of up to 4% of a company’s annual global turnover, or €20million – whichever is greater. However, not all infringements lead to penalties with supervisory authorities, such as the ICO, having the ability to pursue other actions such as issuing warnings, imposing bans on data processing, ordering rectification, and suspending data transfers.

Once a company has become aware of a data breach – no matter how old the breach is – they have 72hours to notify the appropriate authorities for their area.

Fines to Date

According to the European Data Protection Board, over 200,000 cases have been reported by supervisory authorities in the first nine months since the launch of the GDPR. Fines from these cases were issued over 11 EEA countries and total over €56million. Notable breaches occurred with:

  • Google: A vast majority of the €56million fine came from Google in January 2019. The CNIL, the supervisory board of France, found that Google had violated the GDPR by ‘excessively disseminating essential information’ and failing to obtain the valid legal basis for the processing of personal data for ad personalisation.
  • Facebook: Facebook was hit with a £500,000 fine for their role in the Cambridge Analytical Scandal. The scandal uncovered that the information of an estimated 87million Facebook users had been shared with Cambridge Analytica, a political consultancy firm and that Facebook had given access to user information without sufficient consent.
  • Uber: Popular ride-share company Uber received a £385,000 fine from the UK and a €600,000 penalty from the Netherlands after paying off hackers who stole the personal details of over 2.7million Uber Customers. The attackers hacked cloud-based system storage and downloaded full names, email addresses, phone numbers, and other personal information, with Uber paying the attackers $100,000 to destroy the data before failing to tell affected customers for over 12 months.
  • Equifax: Equifax also received the maximum fine under new legislation for their failure to protect the personal information of 15million UK citizens from a 2017 cyber-attack. The attack was revealed during an audit of the company, with user names, birthdays, addresses, passwords, license details, and financial information revealed and made vulnerable to unauthorised access. 
  • Crown Prosecution Service: The Crown Prosecution Service of the UK was fined £325,000 after unencrypted DVDs containing police recordings with victims of child sex abuse were lost. These DVDs were to be used in trial and contained sensitive information about the victims and their identity.

What this means for Aussies

The Australian Office of the Information Commissioner (OAIC) wants Australian businesses to know that they may need to comply with GDPR rules if they have any establishment in the EU, if they offer goods and services in the EU, or if they have any data or monitor the behaviour of any individual in the EU. They recommend that all Australian businesses work to comply with the GDPR and take steps to ensure that their data handling practices are compliant with the latest legislation.

Many Australian businesses make the mistake of assuming that GDPR legislation does not affect them and fail to realise that it does – and even if it doesn’t, they are still under Notifiable Data Breach regulations that also carry hefty fines and considerable consequences. The best way that Australian businesses can ensure that they remain compliant is to ensure that they have a good security strategy in place that accounts for new legislation and regulations. Australian companies who comply with NDB typically have the assets required to remain compliant with the GDPR too.

If you want to ensure that your business is in the green, contact MOQdigtal today. We can help you understand the complexities of new regulations and ensure that your company remains compliant, secure, and ready to succeed in a digital age.