GDPR eLearning: A year on
One of the main reasons why our customers decided to deliver GDPR eLearning across their workforce, was their concern around the increased financial penalties for data breaches.
I would like to just highlight, that is not the only reason our customers decided on GDPR eLearning. The care of their customer’s data and the support they wanted to offer their staff were equally as important to them.
However, for a bit more of a “sensational blog”, I want to just focus on the financial penalty side of GDPR.
It is coming up to a year on 26th May since the EU General Data Protraction Regulation (GDPR) came into effect.
With the help of our Subject Matter Expert, Karen Heaton, let’s remind ourselves what those increased risks are. Then we will look at some of the penalties and fines handed out since the GDPR came into effect.
A reminder of the huge fines
The potential for huge fines from the EU General Data Protection Regulation (GDPR) and now the UK Data Protection Act 2018 were grabbing the headlines leading up to the deadline day of 26th May 2018.
The highest maximum level of fines is 4% of global annual turnover or Euro 20m, whichever is highest.
However, there is also a standard maximum level, which is 2% of global annual turnover or Euro 10m.
Both are hefty penalties, as they apply to turnover, not profits.
The size of the penalty will depend on a number of factors;
- the behaviour of the organisation
- what steps have been taken to be compliant
- how this can be demonstrated to the ICO
- whether the organisational culture takes data protection seriously
UBER – November 2018
Uber was hit with a £385,000 fine for not letting customers know their data had been breached.
A company of data hackers managed to steal the personal date from 2.7 million Uber customers and its drivers.
What made the situation worse in the eyes of the ICO, is that UBER didn’t tell their customers that their personal data had been stolen.
The hackers managed to download personal data such as names, email addresses and phone numbers of Uber’s customers as well as around 80,000 of Uber’s drivers. Uber paid the data hackers $100,000 to destroy the data but they didn’t tell their customers about it.
The £385,000 fine was determined based on the size of the breach and the sensitivity of the information stolen. It also took into account that Uber failed to let the victims of the crime (their customer’s) and the regulators know about the data breach.
There were also 174,000 people in the Netherlands affected by the data breach, as a result the Dutch Data Protection Authority (DPA) imposed a separate €600,000 fine.
Bounty UK – April 2019
The Pregnancy club, Bounty UK was hit with a £400,000 fine for not letting customers know they were sharing their data with 3rd parties.
The company failed to let more than 14 million customers know that they passed on data to 3rd party companies.
Bounty UK collects personal data from its website, apps and new mothers at hospital bedsides but they didn’t fully disclose the personal data was being shared with 3rd part companies for direct marketing purposes.
The ICO found that Bounty shared approximately 34.4 million records with 39 credit reference and marketing agencies. The data that was shared was from potentially vulnerable new mothers and very young children whose birth date and sex were included.
Steve Eckersley, the ICO’s director of investigations, said the number of personal records and people affected in the case was “unprecedented” in the history of the ICO’s investigations.
Equifax – Sept 2018
Equifax was fined a record-equalling £500,000 for keeping data longer than necessary.
They failed to protect the personal information of 15 million UK citizens in 2017, due to a cyber attack on the credit reference agency.
Hackers stole personal information of Equifax’s customer’s, including, names, dates of birth, addresses, passwords, driving licences and financial details.
The ICO found that Equifax had retained this data for longer than necessary and that it was vulnerable to unauthorised access.
Although the compromised systems were based in the US, the ICO issued the fine because the company’s UK branch had failed to ensure its American parent was protecting the information of its UK customers.
This fine currently stands as the highest ever issued by the ICO (held jointly with Facebook), however the costs could have been far higher if the breach had occurred after the GDPR implementation date.
The £500,000 penalty is the maximum that the ICO could issue under the Data Protection Act 1998. However under GDPR, Equifax would face a fine of up to €20 million, or 4 percent of annual global turnover.
Facebook – Oct 2018
Facebook was fined £500,000 for improperly sharing personal data with a political consultancy.
In 2016 the social network shared personal information of an estimated 87 million Facebook users with Cambridge Analytica.
Facebook shared the data through a quiz that collected data from participants and their friends.
The investigation found Facebook guilty of allowing application developers access to user information without sufficient consent. Facebook failed to secure personal information by making suitable checks on the apps and developers using its platform. The ICO found Facebook took inadequate remedial action once the misuse of data was discovered.
Elizabeth Denham, Information Commissioner, said:
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR”.
Today’s fact from Karen Heaton
The ICO quarterly statistics on reported data security incidents found that in Q4 2017, four of the five leading causes (cases where the ICO took action) involved human errors and process (control) failures.
Employee training and data handling guidelines are ‘must haves’ for organisations processing personal and special categories of data e.g. medical data/ child data.
GDPR eLearning is a really quick and effective way to remind all staff members of the obligation to let customers know of data breaches.