Since GDPR came into force, there have been:
- 160,000 breach notifications made to authorities
- 247 notifications per day in 2018
- 178 notifications per day just in the first half of 2019
- A total of £100m in fines
Here are some of the recent fines that regulating authorities have issued and guidance on how to make sure your business stays on the right side of GDPR.
Four GDPR fines we can learn from
British Airways – £183m (under appeal)
What happened?
The airline was victim to a cyber attack where the personal data of 500,000 customers was stolen by hackers through a fake website. The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
Why are they being fined?
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Continue reading