GDPR and data breaches—staying compliant

Last year saw the Information Commissioner’s Office hand out more than just a ‘slap on the wrist’ with companies such as Facebook and Equifax receiving fines of up to £500,000 for data breaches. However, earlier this week, both British Airways and Marriott International received proposed fines of £184m ($230m) and £99m ($125m) respectively, following the introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018.

Prior to May 2018, the UK followed the Data Protection Act 1998, in which the maximum fine equalled £500,000. But with the introduction of the GDPR companies can now be liable to pay penalties of up to 4% of their turnover.

The data protection breaches

The large fines have been proposed for the following:

  • British Airways experienced breaches in September/October 2018 which enabled attackers to re-route customers into a fraudulent website, subsequently exposing the personal details of 500,000 customers
  • Marriott International’s failed to stop a breach which spanned over four years, exposing approximately million customer records from across the globe

Although the announced fines are only proposed and not final, they act as a stark reminder and lesson to companies to not only ensure they are data compliant, but also check the third parties they are using.

André Baywater, Partner at Cordery Breach Navigator, also noted in an article for Data Breach Today: “Organizations clearly need to undertake thorough due diligence when making a corporate acquisition…For example, during the due diligence process, a buyer will need to investigate the target business’ data protection compliance, including its security systems, and when negotiating a share purchase agreement or asset purchase agreement including post-migration of personal data.”

Stay GDPR compliant with Cordery

As revealed by the British Airways and Marriott breaches, it can be very difficult to stay protected and compliant. Not only are data breaches complex business events, but they also can have far-reaching financial and reputational consequences—so staying compliant and managing incidents well is essential.

Cordery Breach Navigator gives you the expertise, discipline and support to help you make the right decisions on risk and GDPR reporting requirements. Applicable for organisations of all sizes, the tool is there to support Data Protection Officers (DPOs) who are tasked with designing and implementing processes that can respond to a dynamic set of risks and instil confidence in senior management. The powerful software tool combines legal expertise with clever software to help DPOs and their teams deal with potential and actual data breaches in a consistent, informed manner using the very latest best-practice techniques.

For more information on GDPR see Lexis®PSL Practice Note on The General Data Protection Regulation. Click here for a free trail.

Click here to explore the full capabilities of our Cordery tool.

Relevant Articles
Area of Interest