Major GDPR fines reach a collective €270 million

Since GDPR came into force in May 2018, there have been almost €270 million worth of major fines (those with a value of over €100,000) handed to a total of 50 companies. Companies who have been hit with these fines include Google, British Airways, Marriott Hotel Group and many other big names. A transparent reporting process will help companies identify data breaches, mitigate the risks and take any action required to ensure a data breach doesn’t happen again.

Best practice for reporting personal data breaches

The EU’s General Data Protection Regulation (GDPR) requires organisations to report certain types of personal data breaches to relevant supervisory authorities. Where feasible, you must do this within 72 hours of becoming aware of the breach.

Fear is a great motivating factor for people to start complying with previously ignored rules and regulations – whether that applies to COVID19 or GDPR. Take for instance the increasing number of anti-maskers suddenly masking up following spiking numbers of COVID-19 deaths in their area. Like most of us not believing authorities’ dire predictions until they hit home, people still tend to be reactive rather than proactive – and even more so when an ongoing situation is rife with uncertainty.

The story of GDPR preparedness seems to follow a similar path. Although introduced in May 2018, with no dearth of heavy fines hitting businesses, there are still an overwhelming number of EU, US and UK businesses that are not fully GDPR compliant, with some that not yet even have begun their GDPR initiatives.

Like COVID-19, GDPR doesn’t seem to be going away anytime soon, although some businesses would probably like it to. So why, after more than two years, are so many organisations unable to rise to the challenge?

The EU-US Privacy Shield is no more. In a dramatic move, the European Court of Justice ruled the agreement covering the transfer of EU citizens’ data to the US is invalid as of 16 July 2020.

What is the Privacy Shield?

The Privacy Shield is used as a mechanism for data transfer for over 5,000 companies to ensure that data subject to GDPR standards is kept secure and safe when held in the US.

Since the Privacy Shield is no longer in effect, companies will have to rely on other mechanisms such as standard contractual clauses (SCC’s) and binding corporate rules (BCR’s) to maintain transatlantic data transfers.

It is important to note that this ruling does not concern what’s known as ‘necessary’ data transfers, like sending an email to book a hotel or finalise a contract. This ruling is about the bulk outsourcing of data covered by GDPR, that is EU citizen’s data, to the US. This is often done for cost reasons or because the business is based in the US.

Long term, this ruling could mean more EU data is processed closer to home. However, in the short term, any data which is transferred using the Privacy Shield mechanism should be reassessed and a new framework put in place, at least temporarily, to reduce any interruption to the data flow.

Over half of the world is currently under lockdown, and one of the greatest challenges many organisations face is how to keep operating as close to normal as possible during this time. Unfortunately, during these times, compliance can often take a back seat, but GDPR hasn’t gone away.

In our 20-minute on-demand webinar, our Director of Learning and Content Nick Henderson takes us through the key things you need to remember to keep data safe during the current coronavirus crisis. He also gives guidance on how to ensure you prevent GDPR breaches while working remotely.

Watch now

Due to the recent spread of the novel Coronavirus (COVID-19), many employees have been forced for various reasons to work out of the office. As the virus spreads across Europe and global cases approach 100,000, the British government warned that one in five workers in the UK could be off sick during a Coronavirus peak, with many more likely to be in self-isolation due to having returned from certain destinations or having come into contact with infected individuals. Additionally, some organisations have temporarily closed their offices and told workers to work from home as a precautionary measure.

Keeping data safe and secure inside an office is one thing. Keeping it safe outside the office can be trickier. With that challenge in mind, we’re here to present you with seven vital tips on how to keep yourself and your organisation safe from a GDPR and cyber-security perspective when working remotely.

Should we be sharing files via email?

Reducing cyber breach risks in your business

Sending information by email is never really secure, even over an HTTPS connection. Not all email providers offer an encrypted way to send messages.

Unless the files themselves are encrypted, such as by using a password-protected PDF, there is no guarantee that the intended recipient will be the only one to see the message.

Since GDPR came into force, there have been:

• 160,000 breach notifications made to authorities
  • 247 notifications per day in 2018
  • 178 notifications per day just in the first half of 2019
• A total of £100m in fines

Here are some of the recent fines that regulating authorities have issued and guidance on how to make sure your business stays on the right side of GDPR.

Four GDPR fines we can learn from

British Airways – £183m (under appeal)

What happened?

The airline was victim to a cyber attack where the personal data of 500,000 customers was stolen by hackers through a fake website. The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

Why are they being fined?

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”