While GDPR has been active as a regulation since May 2018, the first fines have just started to hit companies for data breaches.
Announced by the ICO on July 8 2019, they intend to fine British Airways £183.39 million for the data breach in June 2018 that comprised the personal information of around 500,000 customers. This is a vast amount in comparison to the fine of £500,000 levied against Facebook in 2018 for the Cambridge Analytica scandal that affected 89 million individuals which was the maximum fine allowed under the Data Protection Act of 1998.
On July 9 2019, the ICO also announced they intend to fine Marriott International £99,200,396 for a data breach that affected 339 million customers records, 30 million of whom were resident in the European Economic Area.
At the end of July 2019, the Capital One data breach has come to light affecting the personal information of 106 million Capital One customers. These customers are in the US and Canada so do not fall under the GDPR scope but with a fine of up to 4% of global turnover, Capital One could have faced a fine of over £1 billion.
In July 2019, the Federal Trade Commission announced a fine of $5 billion being levied against Facebook for the Cambridge Analytica privacy violations. While some analysts have said this is a minimal impact for Facebook compared to its earnings, this is still the largest fine to be levied against a technology company by the FTC.
Holding companies accountable for personal data protection
As part of the announcement of the intention to fine Marriott International, the UK Information Commissioner Elizabeth Denham said “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
In many of the fines related to recent breaches, it is visible that a harsh view will be taken on organisations that do not take care of their customers’ data. However, there is also an appreciation by the regulators if organisations are making efforts to improve their data security. The British Airways fine is the first under GDPR but rather than a fine of 4% of global turnover, it is actually only 1.5% of global turnover. The Information Commissioner’s Office recognised that British Airways had cooperated with the investigation and improvements had been made to the company’s security arrangement since the breach had come to light.
The same is true for the fine levied against Marriott International which is around 0.6% of global turnover. The regulators recognise when a problem has been identified and the organisation is working to ensure the issue does not reoccur. However, the fines are still considerable and while resolving a breach is seen as a positive step, the size of the fine is obviously intended to be a significant deterrence.
How to prevent poor data management practices (and penalties)?
Any data privacy solution needs to cover the strategic and tactical procedures of operations in an organisation. It starts from ensuring clear policies are in place and understood and attested to by all of the employees to ensuring managers are clear on their responsibilities and have plans in place to meet those responsibilities.
A comprehensive policy management solution can help provide the foundation on which a secure structure can be built. That foundation needs the support of operational systems to secure data in a way that enforces that access is only given to those with sufficient privileges. Oversight and understanding of operational metrics is as important to allow for visibility of information held and how it is being used. A secure enterprise content management solution can help manage data and data control as part of the overall secure environment.
In a world where regulations have global reach and the impact of breaches is getting ever more severe, having controlled and structured systems in place together with a strong foundation of policies and procedures will help organisations meet their requirements today while mitigating risks for the future.