All sized businesses are impacted by an aspect of GDPR and that is the requirement of adequate security to protect any held personal data.
If a company does not implement sufficient measures and security, the chances of falling victim to a data breach increase exponentially. Naturally, the bigger the company, the higher the fine will be and the more victims of data theft.
Compliance Compendium’s Gareth Gadd said, “I found the recent Tripwire survey of security professionals quite interesting. It seems respondents believe that although the large GDPR fines will get companies to change policies or practices “a little, but not enough” (53%) and take GDPR more seriously (60%) they felt that the recent fines did not make them feel personally more confident about their data privacy (71%).
“This shows an interesting take on the situation. Whatever companies might do corporately; individually, folk don’t believe that their personal data is any better protected. It’s about that crucial issue of trust. All companies have a constant battle to maintain the trust of individuals that use their services and that’s true especially for customer facing organisations. And as has been highlighted in other surveys, people will be loyal to organisations that they feel will look after their data properly.”
Aside from the GDPR fines issued to British Airways, Google and Marriott International, a lot of the fines have not received much coverage. That’s not to say there haven’t been a lot of fines.
Google was fined €50m at the start of the year by the French regulator for insufficient transparency, British Airways was fined £183m last month by the UK ICO for poor security arrangements, and Marriott International has received penalties of over £99m from Turkish and British regulators for failing sufficient checks.
Just some of the other fines include:
Active Assurances – fined €180,000 by Commission nationale de l’informatique et des libertés (CNIL) for failing to implement strong security measures.
PricewaterhouseCoopers – fined €150,000 by Hellenic Data Protection Authority (HDOA) for unlawful employee data processing.
HagaZiekenhuis – fined €460,000 by The Netherland’s AP for insufficient security of medical records.
Cathay Pacific – fined €130,000 by Turkey’s KVKK for a failure of implementing technical and administrative measures for data security.
UniCredit Bank Romania – fined €130,000 by Romania’s ANSPDCP for failings in technical measures.
EE – fined by UK’s ICO for sending 2.5 million marketing messages without consent.
Segic (a real estate marketplace) – was fined €400,000 by CNIL for poor security measures on personal data.
Translation provider Uniontrad Company – fined €20,000 by CNIL for excessive video surveillance and failing to protect passwords.
La Liga – fined €250,000 by Spain’s AEPD for failing to disclose purpose the use of microphone permissions on its mobile app. It was used to spy on users and see if they were streaming a game.
The Municipality of Bergen – fined €170,000 by Norway’s Datatilsynet for making student and employee login credentials available in a public storage area.
Payments processor MisterTango – fined €61,500 by Lithuania’s ADA for processing more data than necessary.
Hospital do Barreiro – fined €400,000 by Portugal’s CNPD for not putting correct authorisation measures in place.
Copyright © 2018 RegTech Analyst
