It has been well over one year now since GDPR has come into effect, and there is still a clear amount of confusion around compliance, so much so, that fines are being given out frequently for not adhering to the new legislation, even where it concerns large and well-known organisations.
A few examples of fines (In ascending order), actioned by the Information Commissioner’s Office (ICO) include;
Vote Leave Limited, who were fined £40,000 for sending thousands of unsolicited text messages in 2016. The ICO’s investigation found 196,154 messages promoting the aims of the leave campaign, and their website. The leave campaign was unable to provide any evidence of consent, to send these messages, resulting in the fine;
Heathrow Airport Limited (HAL), which were fined £120,000 for failing to ensure the personal data held on their network was properly secure. This was due to a USB memory stick found by a member of the public in West London, who were able to access 76 folders, and over 1000 unencrypted files, originating from HAL, including personal and sensitive data, such as DOB, nationality and passport details;
Bupa Insurance Services Limited, were fined £175,000 for failing to ensure effective security measures were in place to protect their customers’ personal information. This was found to be due to a failure of appropriate organisational, and technical measures being put in place to protect personal data and unauthorised and unlawful processing of personal data. This was after finding customer data for sale on the dark web;
Uber were fined £385,000 for failing to protect their customers’ personal information during a cyber-attack. Attackers alerted Uber US, demanding payment of at least $100,000 to reveal how they had accessed customer accounts. Uber were fined due to inadequate security arrangements;
And a final example, Facebook Ireland Ltd, who were fined £500,000 for ‘Serious breaches in data protection law’ This was due to third parties able to operate applications, in conjunction with the Facebook platform, which allowed third parties to obtain personal data of users installing such apps, and their friends information, who did not install the app.
While the maximum fine here has only reached £500,000, this is due to the transgression happening before the 25th May deadline, and as such would have been subject to the original maximum penalty. Going forward, It is expected that as GDPR is becoming more known and understood, the leniency that has been observed so far, may not be upheld, and instead the maximum fine of Up to €20 million, or 4% annual global turnover could become more likely, if the proper protections aren’t put in place.
As we have observed from the big names above, the ICO is not afraid of pointing out mistakes. Regardless of who makes them, and penalising the organisation, or even individuals, if the correct policies, procedures, and laws are not followed, or if the correct protections are not put in place to ensure the safety of any personal data being held!
If you’re reading this and thinking to yourself “Well, bugger. What do we do now?” don’t worry, Samurai is here to help.
Struggling with GDPR compliance? Or do you have employees struggling to understand the lawful bases for processing data? Have no fear, Samurai is here! With our team of experts, we are able to offer fully comprehensive, and in-depth GDPR Compliance Audits, as well as in house and onsite training, in both GDPR Awareness and Cyber Security Awareness
Don’t hesitate to get in touch, we’re here to help with all your cyber needs!