New EU general data protection regulations came into force in May 2018. This followed a grace period of 2-years, which the EU gave websites serving its citizens to become GDPR compliant. Sadly, many businesses are still not compliant over a full year later.
UK GDPR Data Breaches Top 10,000
In February 2019, it was revealed that GDPR data breaches and fines in the UK, have already topped over 10,000. Worse, it is estimated that over a third of large UK and EU businesses will not be fully GDPR compliant until 2020.
To illustrate the importance of full GDPR compliance in 2019, we’ve compiled a list of 10 notable GDPR data breaches which have already adversely affected several EU and International businesses.
Municipality of Bergen GDPR Data Breach Results in €170,000 GDPR Fine
In Norway in March 2019, the Municipality of Bergen became the latest EU local authority to fall foul of new EU general data protection regulations.
Although the date of the breach is not clear, a file containing personal records belonging to 35,000 Bergen school students and employees, was discovered by a student in an unsecured location on a shared teaching and student learning platform. In response to the data breach, the Norwegian Data Protection Authority (DPA) issued the Municipality of Bergen a GDPR fine totalling €170,000. The municipality stated in a press conference that it did not wish to appeal the decision.
Airbus GDPR Data Breach Results in €250,000 Fine
In January 2019, French airplane and military aircraft manufacturer Airbus, was targeted as part of a large-scale cyberattack, a GDPR fine of €250,000 has since been levied against Airbus by EU authorities.
Marriott GDPR Data Breach Estimated to Result in $915 Million Fine
In late 2018, a cyberattack on servers belonging to Marriott International resulted in the loss of over 5.25 million Marriott hotel guest passport records. No GDPR fine has yet been awarded against Marriott. However, many believe that the fine could amount to approximately $915 million (4% of annual turnover).
British Airways Data Breach Affects 380,000 Ticketing Transactions
Between 21st August 2018 and 5th September 2018, a British Airways cyberattack saw 380,000 ticketing transactions intercepted by hackers.
Despite being one of the most significant UK GDPR data breaches since the May 2018 implementation of GDPR, it is unclear what amount British Airways will be fined. Once discovered, British Airways reported the attack within 24-hours. British Airways has also offered to compensate individuals affected by the attack.
Knuddels Data Breach Results in €20,000 GDPR Fine
In November 2018, German social media platform Knuddels reported a data breach which saw several user passwords and login credentials stolen by hackers. However, like with British Airways, the EU Information Commissioners Office appreciated the fact that Knuddels reported the breach promptly. As a result, Knuddels was fined just €20,000 by the ICO once investigations were finalized.
Malta Lands Authority Given GDPR Fine for Data Breach
In February 2019, the Maltese Lands Authority website was issued a GDPR fine of €5,000, after failing to secure the personal information of clients. Instead of data being anonymized and adequately secured, 5,000 website users had their identity card details, and email correspondence made publicly available.
London Newham Council Hit With £145,000 GDPR Fine for Data Breach
In November 2018 Newham Council in London were issued with a £145,000 fine after a council worker accidentally breached UK and EU data protection laws. In the case in question, Newham Council released an unredacted document into the public domain, detailing the names of residents suspected to be involved in local gang violence. Note that this was pre GDPR, so if this had occurred after GDPR implementation the fine could have been much higher.
Google Fined £44 Million in France
To date, Google and Facebook have been levied with the most severe GDPR fines in Europe. However, neither tech company has been issued penalties in response to cybersecurity-based data breaches. Instead, Google was fined £44 million in January by French authorities, who complained that Google had used consumer data for advertising purposes, without ‘sufficiently informing’ users how data would be shared and processed.
Portugal Hospital Hit With €400,000 GDPR Fine for Data Breach
Hospital Do Barreiro in Portugal is famous for being one of the first major public bodies in Europe to fall foul of new GDPR legislation. Found guilty of accidentally sharing private patient medical records without patients knowledge, Hospital Do Barreiro was fined €400,000 , just after GDPR came into effect.
Lessons Learned from GDPR Since May 2018
Between May 2018 and June 2019, EU data protection authorities claim to have been notified of over 90,000 GDPR data breaches. GDPR fines will, therefore, likely become even more commonplace in the near future. To date, though, it is also the case that many GDPR fines concerning data breaches could have been easily avoided.
In almost every case, GDPR data breaches (so far) have been the result of human error and sensitive information not being encrypted. GDPR fines have also been less severe in cases where data controllers have promptly reported data breaches. It is, therefore, entirely possible for businesses to avoid GDPR non-compliance issues, simply by implementing more robust data storage and handling safeguards.