August 1, 2019

Biggest GDPR fines so far still not high enough: Cybersecurity experts

By Lucy Ingham

The biggest fines issued under GDPR so far are still not high enough, despite being in the millions, according to a poll of cybersecurity experts conducted by Tripwire.

Despite British Airways and Marriott International being issued with fines of £183m and £99m respectively for serious data breaches, a poll of Tripwire’s Twitter followers, the majority of which work in cybersecurity, found that many believe the companies’ fines should have been higher.

While the majority by a slim margin thought the fines were appropriate, at 45%, 43% said they thought the fines were too low. Just 12% considered the BA and Marriott fines to be too high.

Despite being the biggest GDPR fines so far, in both cases, the fines were not the full amount that could have been issued by the Information Commissioner’s Office (ICO). Both represented 1.5% of the companies’ global annual turnover, but the ICO could have opted to issue a fine of up to 4% of the same.

Nevertheless, most did feel that the fines would make their companies take GDPR more seriously, with 60% agreeing with this statement. However, this may not be enough, as 53% said that they thought fines would change organisational policies or practices a little, but not enough.

“What’s interesting about the poll results is that while these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected,” said David Meltzer, CTO of Tripwire.

“Organisations will have to continue working for their customers’ trust. Those who have put the right amount of focus in establishing best practice fundamental security measures have a head start.”

The biggest GDPR fines so far

There have been relatively few GDPR fines issued at present, due to the time it takes to for each country’s enforcement body to investigate an incident. However, we have now seen a number of relatively high-profile fines being issued, particularly now that the law has been in place for over a year.

While the UK’s ICO has issued the biggest GDPR fines so far, there have also been a number of other high profile fines across the EU. Here are the highest value fines at present:

  1. British Airways (£183.39m)

The UK ICO announced that it intended to fine BA an eye-watering £183.39m at the start of July for a 2018 breach impacting around 500,000 customers, including the payment data of many. The fine, which represented 1.5% of the company’s global annual revenue, was the first issued under GDPR in the country.

  1. Marriott International (£99m)

Less than a week after the BA fine, the UK ICO also issued a £99.2m fine to Marriott International  for a data breach impacting around 330 million hotel guests of its subsidiary Starwood.  The fine also represented 1.5% of its global annual revenue.

  1. Google (£44m)

In January the French National Data Protection Commission (CNIL) issued Google a fine of €50m (£44m) for failing to provide adequate transparency or acquire valid consent for its ad personalisation. Despite being relatively low compared to the search engine giant’s revenue, it represented the first major fine by a GDPR regulator.

  1. Centro Hospitalar Barreiro Montijo (£364,000)

April saw Portugal’s data protection authority issue a €400,000 (£364,000) fine to the Centro Hospitalar Barreiro Montijo, a hospital in the country, for poor data handling practices, including allowing unreasonable numbers of users indiscriminate access to patients’ personal data and failing to follow basic data processing practices.

  1. Bisnode (£200,000)

The Polish data protection authority, the Personal Data Protection Office (UODO) issued its first fine in April to digital marketing company Bisnode. The company was slapped with a €220,000 (£200,000) fine for failing to contact six million people it was using the data of. This case was particularly notable as the company had claimed it would cost at least €8m to contact the users and so comply with GDPR.

Building company trust with data privacy regulations

There are undoubtedly more GDPR fines on the way, meaning that the record for the biggest GDPR fine so far is certain to be broken sooner or later. However, for companies waiting to see how high the fines go before they take serious action, the advice is to act now.

“Organisations playing the waiting game on GDPR – or any other data privacy regulation for that matter – might want to kick it into gear now,” said Meltzer.

“As we wait to see how, or if, these fines will be paid out, GDPR enforceability has caught momentum.”

Read more: GDPR triggers 175% jump in data breach whistleblower reports to ICO


Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,