GDPR Fines and Penalties: Big businesses that paid a big price

March 20, 2017 1:43 pm Natalie Thorpe

With the new General Data Protection Regulation coming into force on May 25 2018, it is crucial that organisations realise the effect that this will have on their business. Organisations need to put into place a GDPR campaign to plan the implementation of new procedures to reach full compliance.

The Payment Card Industry Security Standards Council (PCI SSC) has warned UK businesses that they could face up to £122bn in penalties for data breaches when the new EU legislation comes into effect.

According to a 2015 information security breaches survey, 90% of large organisations and 74% of SMEs in the UK reported a security breach, highlighting the importance of starting a GDPR readiness campaign well in advance of the 2018 enforcement date.

GDPR will introduce fines for non-compliance of up to €20m or 4% of annual worldwide turnover, whichever is greater. These figures will far exceed the current maximum fine of £500,000 issued by the ICO. However, GDPR penalties are only one facet of the backlash companies will receive if they fail to protect their customers’ data effectively. Reputational damage, business disruption and financial losses also have a significant impact on firms who suffer a data breach.

Below we have complied some of the top Data Breaches to hit the headlines in recent years and the effect GDPR would have on a similar scale breach come May 2018.

1. Talk Talk

In October 2016, the Information Commissioner’s Office (ICO) hit Talk Talk with a £400,000 fine for the 2015 cyber-attack that exposed the personal details of more than 150,000 customers. Considering that the company would have been fined over £71 million under the new GDPR legislation, TalkTalk got off lightly.

 £400,000 vs £71 million

2. Yahoo

In 2014, Yahoo suffered one of the biggest data breaches of all time which affected 500 million users. It also disclosed a large-scale breach from 2013 that compromised 1.2 billion user accounts. To put that into perspective, that’s one for every seven or eight people on Earth! The breaches hit the headlines late in 2016 awarding Yahoo the crown for the largest cyber-attack in history involving a breach of personal data.

Considering that Yahoo’s revenue numbers have been hitting the $4.5 billion mark in recent years, it has been predicted that Yahoo would be paying $90 million or more to the EU under GDPR considering that it processes EU citizens’ data. Couple this with the fact that Verizon (who bought Yahoo shortly after the breach) paid $350 million less than it had originally been prepared to pay, Yahoo suffered enormously because of this attack.

3. Sony

In April 2011, the PlayStation Network was targeted by hackers whose identities are still unknown. Sony originally said that the personal information of 78 million PlayStation Network users had been exposed. However, the number of breached accounts later rose by 24.6 million when investigators unveiled the attackers had also infiltrated Sony Online Entertainment and Qriocity. The credit-card data of 23,400 SOE users in Europe was also stolen. In 2013, Sony was fined £250,000 from the Information Commissioner’s Office (ICO). However, Sony could have been fined just over $2.5 billion had GDPR been in place. 

£250,000 vs $2.5 billion

4. Three Mobile

In late 2016 One of the UK’s biggest network providers, Three mobile, confirmed that the details of 133, 827 of its nine million customer accounts was accessed. This occurred after a hacker used employee credentials to log into Three’s database. Information stolen included names, addresses, telephone numbers and email addresses amongst other details. Under GDPR, Three could have walked away with an estimated £84 million fine, highlighting again the importance of GDPR compliance

5. Tesco

In 2016, The supermarket giant’s banking sector came under attack resulting in the theft of £2.5m from 9,000 customers’ accounts. It is estimated that had GDPR been in place at the time, Tesco would have been checking out with a £1.9 billion fine.

The current and rising threat level within the cyber security landscape, not to mention hefty fines coupled with a loss of customer confidence can only mean one thing: It is imperative that organisations up their game across the board in terms of compliance and cyber security awareness to prevent, detect and respond to cyber-attacks which can lead to breaches of personal data.  

 At MetaCompliance we are dedicated to serving organisations across all platforms in achieving compliance and creating a better awareness of crucial security issues amongst the most important defence a company has:  your human firewall – your employees. Contact us today to learn about how we can help you kick start your GDPR campaign or join the IAPP webinar where the MetaCompliance CEO Mr. Robert O’Brien will be discussing GDPR project implementation. You can also download a free GDPR policy document and Best Practice implementation guide here.