It’s been eight months since the arrival of the General Data Protection Regulation (GDPR) and, while the sense of urgency has somewhat settled, businesses like yours need to make sure they’re taking action to comply.
Unfortunately, there’s an alarming amount of businesses burying heads in sand and hoping it all goes away, with recent research showing that 70% of companies are still not fully compliant. With the rise of so-called GDPR bounty hunters and the flurry of Data Protection Act (DPA) fines handed out at the end of 2018, your business can’t afford to be complacent – these are signs of things to come with GDPR enforcement and risks.
The rise of GDPR bounty hunters
The introduction of GDPR didn’t stop big companies from experiencing cyber-attacks in 2018. In fact, British Airways, Marriott and Quora all fell victim to cyber-crime last year. You must keep reviewing your cyber-security to make sure your data is safe in 2019 and beyond.
On top of this, you need to know that GDPR has given rise to a new breed of cyber-criminal: the GDPR bounty hunter. These hackers steal personal data from businesses and then blackmail them with the threat of reporting the breach to the Information Commissioner’s Office (ICO) unless a ransom is paid.
ICO has upped its DPA enforcement (and GDPR will follow)
There wasn’t a huge amount of GDPR enforcement in 2018, but ICO’s increased DPA action last year is a clear indicator that GDPR is going to get serious in 2019. The European Data Protection Supervisor, Giovanni Buttarelli, recently told Reuters to expect the first fines soon and that those likely to be sanctioned will come from all around the EU, including a number of public bodies.
Saying that, the first GDPR action has been taken, with AggregateIQ Data Services Ltd (a digital marketing firm linked to the Cambridge Analytica scandal) ordered to perform an audit or face the maximum fine.
Many large UK companies also faced huge fines for DPA data breaches prior to GDPR coming into force (including nuisance calls and unsolicited marketing emails), with Facebook and Equifax fined the maximum DPA penalty:
Facebook was fined £500,000 for its role in the Cambridge Analytica scandal, where a political consulting firm gained access to 87 million Facebook users’ personal data.
Uber was fined £385,000 for a 2016 data breach that resulted in up to 2.7 million UK customers having their personal data exposed.
Equifax was fined £500,000 for a 2017 cyber-attack in which the sensitive financial data of US and potentially UK customers was stolen.
BT was fined £77,000 for sending roughly five million marketing emails to customers from whom BT had not properly gained consent.
And ICO has already shown that it’s not taking any nonsense in 2019, having fined SCL Elections (Cambridge Analytica’s parent company) £15,000 for ignoring a data request.