Invest in data security now to avoid costly GDPR fines
Since the GDPR was adopted in 2018, there has been a significant increase in the size and quantity of data protection fines. Whilst the regulators have in 2020-21 been more lenient due to the financial hardship encountered by many businesses during the Coronavirus pandemic, we can expect the Data Protection Authorities (DPAs) to step up their game again. The authorities that have slapped the biggest fines in the EU include Italy, Germany, France and Spain, as well as the UK (prior Brexit). Many of the fines relate to security breaches and could have been avoided with proper data security / cyber security measures in place.
Recently, the Dutch DPA fined Transavia €400,000 for poor data security. In this case, a hacker was able to break into Transavia’s systems, which include personal data of 25 million passengers. Allegedly, the hacker was able to break into Transavia’s systems through two company accounts in the IT department. In this case, some fairly elementary faults in data security were detected: the password was easy to guess, only one password was needed to enter the system, and there was no multi-factor authentication in place.
Once the hacker had control over the two accounts, he also had access to multiple Transavia systems. This is because the access rights connected to these accounts were not restricted to only necessary systems.
I would argue that it would have cost the company a lot less than €400,000 to invest a little more in data security and avoid the data breach.
Security breaches can happen in any business regardless of the size. British Airways lost personal details of 400,000 customers in 2018. The case was finally closed by the UK regulator, ICO, last autumn. Seemingly lucky and of course helped by a large legal team, the company escaped with ‘just’ a £20m fine – much reduced from the original.
The ICO claims that this breach could have been avoided by having sufficient security measures in place. Again, no multi-factor authentication was used. Around the same time, the hotel chain Marriott was fined £18.4m for a data breach in which hackers got access to the hotel’s reservation database. Curiously, the hack went undetected for two years during an acquisition due to the lack of due diligence.
According to the ICO, the company failed to properly monitor accounts that would have detected the breach. It also failed to properly monitor databases, implement server hardening as a preventative measure and encrypt certain personal data.
In Italy, Vodafone Italia has been fined for several GDPR infringements including the failure to properly secure customer data. Even if the fine was imposed mainly for unlawfully processing personal data of millions of users for telemarketing purposes, the regulator found during its investigations that the company had not managed to prevent unauthorised access to the customer database.
Perhaps a large part of the fine, €12.25 m in total, could have been avoided by paying more attention to data security aspects, also in relation to third-party data processors.
According to the GDPR, the fines must be effective, proportionate and dissuasive for each individual case. So far, the regulators have different views on ‘proportionate’, and while there is no European-wide fining formula, we are seeing national DPAs argue their cases at the European level with fines sometimes raised substantially from the original sum.
But what can organisations do to avoid fines? Firstly, invest in at least basic data security / cyber security measures.
The GDPR requires the implementation of ‘appropriate technical and organisational measures’. Technical security measures include access control and authentication. An example of organisational measures would be using passwords and encryption. SMEs may not have all the tools available due to the cost factor, but firewalls are a start.
Technology goes a long way but equally important is to train staff. They do not need to understand data protection law from a to z, but have a working knowledge of the practices that affect their particular job. Sometimes data security breaches occur simply due to lack of cooperation. Make sure staff from different departments talk to each other and flag anything suspicious to IT immediately.
Sometimes, it is the smallest of errors that can have catastrophic consequences. A misdirected email can be the primary cause of data loss. Focusing on people and making them understand the basics of good information governance goes a long way.
In the worst case, if your organisation is faced with an investigation by the data protection authority, or a fine, be responsive and cooperative. It is a fact that regulators have reduced fines for organisations that are helpful from the start, and provide all the necessary information.
It could be argued that the EU regulators have focussed on catching ‘big fish’ by concentrating their enforcement efforts largely on high-risk sectors such as telecoms companies and big tech. However, that would be a misleading path to take. When we see a large fine on a company, it represents only a small fraction of cases that are investigated. So smaller companies may well get caught if they experience a data breach – especially if very sensitive data is compromised. This is due to sensitive data having an even lower threshold in the EU – any data breach incident that involves data on heath, sexual orientation, race etc would almost always need to be reported to the data protection authority. The European level authority, the European Data Protection Board has issued some very useful guidance in this respect.
By Laura Linkomies,
Business writer and editor specialising in data privacy.