With the introduction of the General Data Protection Regulation (GDPR) across Europe and the UK Government’s new Data Protection Act (2018), the Information Commissioners Office (ICO) are clamping down on organisations that are failing to comply. Fines can be as high as €20 million (approximately £17.5 million), or up to 4% of annual turnover, whichever is larger, so protecting customer data has never been more crucial.
Data breaches are a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This could be from the access of an unauthorised third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data.
Example of the Extent of ICO Fines
A prime example of how GDPR would be enforced by the ICO is the £500,000 fine imposed on Facebook for the Cambridge Analytica breach which occurred towards the end of 2015. They were given the maximum penalty under the Data Protection Act (1998) as the data breach involved personal information gathered from 87 million users.
Had such a breach occurred after the 25th May 2018, when enhanced data protection laws came into force, the ICO said they would have imposed a considerably higher fine, at the upper end of the scale. Under the new laws this would have meant that Facebook faced a maximum penalty of around £1.45 billion.
What’s Happened Since GDPR?
Ticketmaster are the latest to experience a data breach and the first to fall within the new Data Protection Act (2018). Affecting 40,000 of their customers after a malware attack on a third-party vendor, Inbenta’s Chatbot, hackers were able to steal names, addresses, telephone numbers, payment card details and login details. The breach was continuous, occurring between September 2017 and 23rd June 2018, spanning both old and new data protection laws.
Due to the time frame of the breach the ICO are currently evaluating which law will apply. A spokesperson said, “It’s still very, very early days and we’re still in the evidence gathering stage and will assess it from there.” According to data protection lawyers it is believed that either the DPA 1998 and DPA 2018 will be applied collectively or the DPA 2018 alone.
Either way this decision will set the precedent for future cases where a breach has continued for a period of time, spanning both old and new laws and showcase the dramatically different level of fines.
How Can Organisations Prevent Such Penalties?
- Start by looking at the scope of their organisation within GDPR.
- Work with a Qualified Security Assessor, such as LRQA Nettitude, who can help you review your IT network for vulnerabilities.
- Work with partners and suppliers that demonstrate a high level of data security (i.e., Are PCI-DSS level 1 compliant).
- Fully inform your customers of how their data is processed and stored, along with ways the organisation can fully dispose of it.
- Have an up-to-date business continuity document or disaster recovery plan that includes clear time-scales on communicating to customers.
- Ensuring personal customer data isn’t exposed to unauthorised parties or unnecessarily open and accessible by members of staff within the organisation.
Contact Key IVR for solutions that could protect your customers sensitive payment data, preventing your organisation from such penalties thanks to a robust and secure PCI compliant payment platform. Call +44 (0) 1302 513 000 or email firstname.lastname@example.org to discuss your requirements.