- GDPR legislation is designed to prevent data breaches, by encouraging businesses to implement stricter security protocols
- Despite the threat of hefty GDPR fines, several data breaches have occurred and are being investigated by the regulators
- A data protection breach is any event which results in the loss or unauthorized sharing of data which can be used to identify an individual
What Do You Need to Know About GDPR & Data Security?
Could a security breach caused by a website hack destroy your business? Before GDPR came into effect in May 2018, the maximum fine of a data breach in the UK was £500,000. However, with GDPR now in place, any data breach can have fines which are either £20,000,000 or 4% of total global revenue (whichever is higher).
What Constitutes a Data Beach Under GDPR?
Data Protection regulations in the EU, classify a data breach as any security breach which leads to the accidental or unlawful sharing, loss, disclosure, destruction, or alteration of data, which can be used to identify EU citizens personally.
As for why the EU takes data breaches seriously, the reason is simple. When personally identifiable information falls into the wrong hands, data can be used to commit fraud and identity theft.
How Common are Data Breaches?
In December 2018, online question and answer platform Quora, revealed that it had lost over 100 million user email addresses, passwords, and IP address records. The data breach itself was the result of a hack. A similar hack at the same time, saw Marriott Hotels lose control of over 5 million unencrypted guest passport numbers.
In the case of the Marriott breach, the Information Commissioners Office is leading the investigation in the EU, and could pursue a GDPR fine of up to $915 million which is 4% of their total revenue of $22.89 billion. Moreover, GDPR fines are already being levied against businesses and data controllers across Europe, the UK and the U.S.
- In November 2018, an accidental security breach in Malta, saw the Maltese Lands Authority website leak 10 gigabytes of personally identifiable information. The Maltese Lands Authority has since been fined €5,000
- Netflix, YouTube, and Apple, may be investigated after a complaint filed to the Austrian Data Protection authority by privacy group Not Your Business
- London’s Royal Borough of Kensington & Chelsea has been fined £120,000 for a data breach which saw 943 people personally identified during a public freedom of information request
How to Prevent a Data Breach Impacting Your Business
Recent data breaches which have resulted in GDPR fines share several similarities.
- Unencrypted data lost in hacks/accidentally shared with third parties
- Many big tech companies seem to have difficulty fully disclosing data sharing practices to their customers
- Data breaches which occur by accident, often come about due to human error
The above points are important, as in every case, firms could have avoided fines by:
- Encrypting all user data
- Better clarifying data sharing policies in website privacy policies
- Implementing better internal data handling policies
GDPR Data Protection Compliance Doesn’t Have to be Difficult
Big brands like Marriott, Netflix, and Apple, can afford to pay GDPR fines and not suffer too much in the process. However, startups and SMEs can’t. In fact, in many cases, a single security breach could put many SMEs out of business.