What can we learn from GDPR fines?

In the last week there have been two significant fines signalled by the ICO under the GDPR. A complete list of fines issued under GDPR, since its introduction in May 2018, can be seen here

Now we are a whole year on from its introduction what have we learned? 

  • According to a 26 Feb 2019 report by the European Data Protection Board (EDPB) 31% of enforcement actions initiated were based on controller data breach notification. However, as recent fines show, enforcement action can be initiated on a media report, SA inspection, single (or group) data subject complaint or a controller notification. We have also seen our first processor fine, as a result of security failings.
  • As the Marriot fine proves, security issues that originate before 25th May 2018, when GDPR came into force, can still be fined under GDPR.
  • Fines issued have not all been as a result of major data ‘hacks’ and security breaches. Enabling unauthorised access, not appropriately restricting access to personal data, and not redacting personal data made publicly accessible online (even where there’s no evidence of damage to individuals) have also resulted in fines. Similarly a fine can also be imposed if you don’t check that a break has been properly remedied.
  • Aggravating factors, leading to increased fines, include the nature of data (political opinions, ID cards, bank details etc), data involving vulnerable groups (e.g. children), large volumes of personal data and the amount of time the breach remained without action. Not following processes for escalating reported breaches, delegating breach repair without proper checks being in place, a lack of documentation of breaches and failing to notify the SA or data subjects have also all been seen to increase fines.
  • Mitigating factors, however, include promptly self-reporting a data breach, cooperation and transparency, swift implementation of fixes and consideration of the overall financial burden of the security improvements, when viewed against potential fines.

Over recent months we have written a number of blog articles providing guidance on GDPR matters and the steps organisations should take to avoid data breaches and to mitigate fines, should they happen. Elizabeth Gibbs has written an in-depth review of GDPR - one year on, containing advice for organisations.  Further articles on GDPR and eprivacy can be seen here including: