GDPR is now three: has it made a difference to the way businesses store data and who has been fined?
The European Union's General Data Protection Act (GDPR) was launched in 2018, how has the replacement to the Data Protection Act 1998 impacted the way companies store and handle data. The original act was designed by Parliament to protect personal data stored on computers or in organised paper filing systems. With the introduction of GDPR, this now covers the way data is stored electronically. To date 600 companies have been fined for breaching the new data protection regulations, with fines ranging from €28 up to €111 million.
GDPR was put in force as legislation that protects the way data can be used, stored and processed, regarding consumer's personal details in organisations that operate in the EU. The Data Protection Act it replaced didn't take into account the use of technology and the way data was collected. When GDPR was first introduced there was worry in the business community at the responsibility that businesses now had to introduce to protect the data storage of their customers and consumers. With the thread of big fines, if it could be proved that companies had been negligent while storing the personal data on their company's networks.
Data is now regarded as a commodity in its own right and as such, the responsibility for handling and storing personal data has to be a main priority for all companies that data capture the personal details they then store on their systems. Every business had to comply if they stored any form of personal details of customers, and even went as far as including the images filmed and stored on company's CCTV systems.
The ICO (Information Commission Office) oversaw the introduction of GDPR in the UK by contacting every business and asking them to register and pay an annual fee, in order to agree to comply with the new GDPR regulations. All businesses had to comply whether they were a large organisation or small business with a CCTV outside used as a part of a security system, with small businesses paying as little as £40 per year to register.
The first major company to be fined under the GDPR data breach was British Airways who was fined £20 million by the ICO and fines are based on 10% of profits for an organisation. The ICO ruled that BA had been negligent as hackers were able to infiltrate the airlines website with malicious code that then redirected its users to a fraudulent site which then harvested the personal details of 5000,000 customers. These details included login credentials, booking details, customers names, credit card information and addresses. The size of the fine sent ripples throughout the entire business community. The ICO and GDPR was going to be taken seriously from now on and all companies had to be extra vigilant and protect their data from any sort of breach.
Marriot International, the hotel chain, was fined £18.4 million, as it did not have the sufficient safeguards in place to protect the data of their guests. A data breach had taken place in 2014 and only when they had to agree to GDPR in 2018, that they admitted the earlier data breach, when the details of 300 million customers had their credit card details exposed, which included other personal details such as passport numbers and dates of birth.
Google was also in breach of the regulations and was fined €50 million by CNIL, the French data protection regulator. This fine was due to lack of transparency by Google regarding their online ads, where inadequate information and lack of consent when users viewed personalised ads. Google had not informed users about how data would be collected for personalised advertising.
The Swedish retail group H&M was fined €35 million, for leaking highly confidential data of hundreds of staff working at its customer services centre in Nuremburg. These leaked details included information gathered from personal staff interviews between managers and employees and included details of employees personal lives and health data. These details had been stored and were only supposed to be accessed by managers, but other H&M staff were also able to access these confidential files. All leaked data was immediately deleted when the breach had been discovered.
Since the introduction of GDPR all businesses now have a 'duty of care' to their customers, clients and staff, when collecting, handling and storing personal data. As digitally stored data is now so highly regarded by hackers, companies must make it an absolute priority to keep any personal data safe.