There have been numerous fines imposed on companies for not complying with its guidelines since the entry into force in May 2018 of the GDPR (General Data Protection Regulation), the European regulation that most rigorously regulates the processing of personal data of European Union citizens.
Until the GDPR came into play, the regulations related to the use and processing of personal data were quite lax and didn’t take into account the growing number of attacks and data theft suffered by companies and organizations, which has increased year after year. The largest fine so far was imposed on Facebook after the Cambridge Analytica scandal, a total of €565,000, a very low fine compared to those imposed by the new GDPR.
This new European regulation, which has been in force for a little over a year now, is very clear regarding personal data and its sensitivity, with the fines established reaching up to 20 million euros or 4% of the global annual income of the company depending on the severity of the data breach and the company’s cooperation with the pertinent bodies.
Coincidentally, two of the most significant and largest fines under the GDPR were announced in the same month which monopolized the news on the internet and evidenced the serious consequences that a company may face if it does not comply properly with the GDPR.
The Marriott data breach, the most significant in the tourism sector
If we were to rank these incidents by the largest fines imposed after the GDPR, the data breach suffered by the Marriott hotel group would come second with a fine of 110 million euros. This data breach allowed access to the sensitive information of 383 million customers including their name, email and telephone number.
This leaking of Marriot customers’ personal data is the most serious incident so far in the tourism sector, and the second most serious in history, after the breach suffered by Yahoo in 2017. The amount of leaked sensitive data was astonishing: 8.6 million bank card numbers, 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers.
The fine handed down to British Airways, the largest in history
The largest fine imposed since the entry into force of the GDPR was for 205 million euros, a fairly significant figure that serves as a reference in terms of the most serious consequences of a data breach. The company on the receiving end of this record fine, British Airways, now knows what it is to have to face up to such a hefty penalty, although in the end the fine did not amount to the maximum limit of 4% of the company’s annual income but ended up being around 1%.
After the breach it was discovered that the personal data of 500 thousand customers had been compromised providing access to their names, emails, credit card numbers, expiration dates, and even the secret three-digit CVV numbers.
Mass data theft suffered by Bulgaria
The public sector is also aware of the consequences of a serious data breach. One of the most important and mass breaches was reported recently in which the sensitive data was compromised of 5 million people in Bulgaria, which for a country with a total population of around 7 million represents a serious blow to its cybersecurity infrastructure and the biggest breach in its history.
The stolen information included names, income information, tax returns, medical insurance and loan payments. As a result of this record case, Bulgaria’s NRA tax agency is now facing a fine of more than 20 million euros for this security breach, which compromised the data of almost every adult person among the seven million inhabitants residing in Bulgaria, potentially one of the largest fines for non-compliance with the GDPR.
Lack of concern about cybersecurity and data protection
There is one ingredient which is found again and again in these huge data breaches: a lack of investment in cybersecurity and in the protection of sensitive data. In each case, cybersecurity standards were low and very little was being done to prevent these sorts of catastrophes, making it easy for hackers looking to obtain millions of personal data items.
As the commissioner Elizabeth Denham states: “The GDPR makes it very clear that organizations must be responsible for the personal data they possess”. Data and information is an asset that must be protected at all costs, and resources and budgets must be allocated to minimize the likelihood of a data leak.
The consequences are very serious as we have seen in the largest fines: significant GDPR fines, loss of reputation etc. Therefore it is also very important to have the right sensitive data security and protection tools in place to avoid and prevent incidents.
What if I have personal data in files or documents?
In many of the data leaks that have appeared in the news, the information was stored in databases that, due to a lack of adequate security measures, allowed the data to end up in the wrong hands.
However, on other occasions, personal data regulated under the GDPR is often stored in PDF, Excel and Word documents and even in emails. In these cases, encryption is especially useful for keeping this sensitive data safe from possible leaks that, as seen in previous cases, may result in a multi-million dollar fine.
SealPath can be especially useful in these cases as it is a data protection solution that goes beyond traditional encryption. It applies persistent protection to files and keeps them safe wherever they go, allowing access only to those who have been granted permissions. If any of this data leaves the organization, as a result of a hack, theft, etc., this protection and access control will be maintained.
Therefore, when sensitive information containing third-party personal data is stored in documents or files, SealPath is a good way of keeping it under control and avoiding any potential fines resulting from an information leak.
If you want to know more about SealPath or see a working demo, contact us.