July 2019 was a busy month for the Information Commissioner’s Office. Following two data breaches at Marriott Hotels and British Airways – originally recorded in November 2018 and June 2018 respectively – the first of the UK’s GDPR fines have bolted out the barn door.
British Airways are expected to pay a cool £183.39 million fine (roughly 1.5% of its annual turnover), with Marriott’s coming in at £99 million – both punitive measures for the loss of each company’s confidential customer data.
In the case of British Airways, “poor security arrangements” are cited as the culprit, with the names, addresses and login details of 500,000 customers making up the compromised data. Marriott, meanwhile, suffered a hacking period of four years which saw a staggering 383 million guests’ details compromised; one of the largest breaches in history.
So far, the most prolific GDPR breach has hit none other than tech giant Google – albeit with a seemingly lenient fine of €50 million. The fine comes following a claim by CNIL, the French data regulator, which had issued the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Google were accused – and subsequently punished – for failing to provide a legal basis for the collection of personal data in the use of targeted ads.
All three instances demonstrate the renewed severity that the GDPR places on data breaches; sure, this isn’t the first time the ICO has slapped corporations with charges for their data mishandling, but under the EU’s GDPR legislations, fines have rarely been so hefty.
What’s interesting about these fines is that they barely scrape the 2% of either company’s income – which is the fine payable for any “lower level” GDPR breach (or €10 million, if that’s the higher value). Yet whilst the legislations place renewed importance on the protection of personal data, it seems only larger companies may be able to weather the storm of its fines – and questions remain on whether smaller businesses will cope against such harsh penalties.
For any business managing vast amounts of customer data, this makes a strong cyber security setup with diligent data backup solutions nothing less than essential. A great start for any business is applying for a Cyber Essentials Plus certification; this demonstrates that your security setup and knowledge meet the government’s accepted standards of cyber security.
Alongside the usual security – such as firewalls and anti-viruses – you’ll want a recovery method specifically for the protection of data. A Data Backup and Disaster Recovery solution ensures that any data lost can be retrieved, making data breaches much more manageable.
Understand the Benefits of being Cyber Essentials Qualified
If you want to know more, or are looking for a Cyber Essentials accreditation for business, get in touch.
We're a recognised certification body, and able to conduct a full Cyber Essentials assessment, certified to government standard.
With three package options to choose from, including options for Onsite or Remote Support, we’ll help get your business up to standard in the manner most efficient for you.