Before those massive GDPR fines kicked in, Data Protection fines were already growing in size and frequency. As concerns grew for the protection of personal information, the GDPR was created to give individuals control over their own data - the GDPR came into force on 25th May 2018. Below we look at some of the biggest data breaches in recent years - note that they would likely have been substantially larger had the GDPR been in effect.
Carphone Warehouse received a £400,000 fine after they put employee and customer information at risk. The cyber attack was due to a lack of security and went undetected for 15 days. The hackers gained access to personal information and credit card data from over 3 million people.
It was estimated that 87 million users had their personal information regarding political affiliation taken via a quiz. Through this, their data was collected, stored and shared. Facebook received a £500,000 (max) fine for their role in the Cambridge Analytica Scandal.
Due to a lack of proper data protection and security measures, TalkTalk were given a £400,000 fine. A cyberattack used an SQL injection to access the data of 156, 959 customers. On top of this, they also gained the sort codes and account numbers of 12,656 customers.
Crown Prosecution Service
After losing DVDs of 15 victims of child sex abuse containing sensitive information about the victims and others involved, the Crown Prosecution Service was fined £325,000. The DVDs, which were intended to be used at trial, were lost between a reception desk and a delivery courier. The location of them is still unknown.
In 2014, Yahoo experienced the largest data attack up until this point, with 3 billion user accounts being breached. Personal information such as email and home addresses, as well as passwords were stolen. It was not until October 2017 that they realised the full extent of the damage, and just how many people were affected. They were fined £250,000.
If the GDPR was in place at the time, then Yahoo would have faced far larger fines for this data breach. As well as how many people it affected, it took them longer than (the not yet enforced) 72-hour timeline required by the GDPR to report the incident.
Within eBay's data breach names, addresses, dates of birth and passwords were compromised but financial information was still secure. Their fine equated to a limited amount of £500,000 under previous laws. In 2014, 145 million users’ personal information was breached. Users were notified within the same month of the breach, however, if the GDPR was in place, this would have been a violation, resulting in larger fines.
In 2017, Equifax lost 143 million customers’ personal information, with an additional 209,000 also having their credit card details stolen. This again only equated to a £500,000 fine under previous laws but they would also have missed the GDPR's 72-hour rule.
This being said, they launched a website for their users so they could find out if they were one of the people whose information had been hacked and they also offered credit monitoring. This cooperation and attempt to rectify the mistakes they made would weigh heavily in their favour in any ruling made under the GDPR.
If the GDPR was enforced at the time of these fines then they would likely have been much larger.
The GDPR fines work by a two-tier system: the first tier, for “smaller” breaches of the GDPR, could land you with a fine of up to €10 million (£8.9 million) or 2% of annual global turnover - whichever is larger; the higher tier, for the most serious breaches of the regulations, could cost as much as €20 million (£17.8 million) or 4% of annual global turnover - whichever is higher.
And remember, the GDPR doesn't just apply to larger businesses, it applies to everyone...