So, those of us who warned how profoundly dangerous a GDPR fine could be for businesses two years ago weren’t wrong – we were among the very first to recognise the implications and it’s now clear that the game has changed and if either your GDPR compliance, or cybersecurity, are compromised it can bankrupt your business. The first major GDPR fine – £183 Million – yes you read that right – is now public. Contact [email protected] for quick, comprehensive guidance. (more…)
The first GDPR notice in the United Kingdom has been issued to AggregateIQ Data Services. The Canadian firm was linked to the Facebook-Cambridge Analytica Scandal earlier this year, providing tools involved used in data analytics for political campaigns. Having caught the attention of the Information Commissioner’s Office, it has now run into trouble for failing to comply with GDPR.
The ICO has served this notice in connection to EU citizen data being held by AIQ. Because the data involved – including names and email addresses – is being stored for political purposes and without the users’ consents, there is no lawful basis for AIQ to process it.
Take a look at the full story about the UK’s first GDPR notice here: https://www.zdnet.com/article/uk-issues-first-ever-gdpr-notice-in-connection-to-facebook-data-scandal/
There are several important things to note about this, illustrating the dangers of not being fully aware of GDPR and its implications…
- AIQ may be based outside of the UK, but this doesn’t protect it. This is because, in the words of the ICO, “AIQ’s processing of personal data is said to relate to monitoring of data subjects’ behaviour taking place within the European Union”.
- For its role in the Cambridge Analytica scandal in March, Facebook was fined £500,000 under the terms of the Data Protection Act 1998. However, the notice issued to AIQ still comes under GDPR, even though the data it is processing relates to the same scandal. This is because AIQ didn’t tell the ICO it still held EU citizen data until May, when GDPR came into effect.
- The issue for AIQ is that there’s no legal basis for them to hold this data. The ICO states: “The controller [AIQ] has failed to comply [with GDPR]. This is because the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.”
- While the GDPR notice has only recently come to the attention of the public, it was originally issued in July. The ICO demanded that AIQ “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.”
- AIQ had only thirty days to comply with this demand. Considering that the Cambridge Analytica scandal hit 87 million users, and that the firm provides software and tools for managing data for political purposes, this is a huge job to perform in such a short space of time.
It should be noted that AIQ has the right to appeal – and is exercising that right. However, if its appeal is rejected, it will face fines of up to €2 million or 4% of its annual global turnover, whichever is higher – and that is per data breach…
For our help and support with your own GDPR awareness and compliance programme, use the Contact Form on the right to get in touch today.
We’ve been delivering many urgent project management and staff training projects recently, to companies that just need “GDPR compliance now” – so much so that we’ve not had time for our usual blogging and marketing activity lately. We’ve written this article to consider where companies and organisations are really at in their GDPR compliance programmes now and what we’d recommend that companies do next. (more…)
GDPR is going to be a big challenge to implement for organisations, but the consequences of breaches and failing to comply to GDPR can be huge. GDPR fines and penalties could potentially cripple an organisation if it fails to adhere to the new regulations.
If there are any breaches of data, such as a hack, the data controller must notify the Supervisory Authority after no more than 72 hours after the becoming aware of the breach, not the breach itself. There is no room for misinterpretation or excuses here – if the Supervisory Authority is not reached within the 72 hours, the notification of the breach must be accompanied by a suitable reason from the controller for the delay. A suitable reason would be something that is out of the controller’s power – a power outage, for example.
Notifying the data subject (i.e. person whose data is being held) is slightly different, though. The data subject must be notified of any potential breach UNLESS the data is anonymised – if the data is not immediately recognisable as the initial data sent by the subject. Pseudonymised or encrypted data hides what the data actually is via a mask or coding, with only a small number of people able to uncover the true meaning. If one doesn’t have the means to do that, the data is essentially useless.
Data can be thought of as raw facts and figures that appear to make no sense. We must put categories and context with the data for them to become information and knowledge. Hence, if a piece of data is hidden behind a mask or code, those who don’t know how to unlock the data, cannot even know what data they obtain.
FINES AND PENALTIES
The consequences for failing to comply to GDPR can be huge, but while you may see big figures bandied about, those are not necessarily the fine you or your organisation will receive. Each case will be considered against a set of conditions to judge whether a fine will be needed, and how much.
These conditions are:
- How big and widespread the infringement was and how much and how many data subjects it affected. The type of data affected will also be considered.
- If there was any (intentional) neglect from the organisation concerning the infringement.
- Whether the data controller took action to prevent damage to the data subjects (EG: if there’s a breach, the 72 hours you have before notifying the Supervisory Authority can be used for you to minimise the damage to your customers, sort the breach, set up suitable preventions, then notify the Supervisory Authority – this will potentially help your case.)
- How your data was protected initially will also be considered, though. If an organisation does not have suitable security measures in place, and don’t show demonstrable controls, this will negatively affect the organisation’s case.
- The responsibility of the processor or controller and if they have had any previous infringements.
- The cooperation with the Supervisory Authority to fix the infringement.
- How the Supervisory Authority became aware of the infringement.
- The extent of adherence to specified codes and conduct by the Supervisory Authority.
- And any other factors relevant to the specific infringement in case, including but not limited to financial gains and losses.
A worst-case scenario can see a fine of up to 20,000,000 Euros, or up to a 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater. This is again dependent on a certain set of circumstances (including lack of compliance with the Supervisory Authority) and these figures can be lower (up to 10,000,000 Euros and 2%) because of that. The important phrasing here though is “up to”. It will be unlikely that any organisation will be fined 10,000,000 Euros unless they severely infringe on the regulations and the data affected is of high risk.
Remediation costs will also significantly affect organisations post-breach. Depending on an organisation’s size, how many employees they have and how many data records are affected by a potential breach impacts any remediation costs for the company. Using the supermarket chain Morrisons as a recent example, they lost 100,00 employee records – with current estimations of remediation costs, the minimum cost Morrisons could potentially be looking at is £75 million. This is a huge cost alone to remedy any breach, and this figure will be huge for any organisation.
These consequences still seriously highlight the need to comply with GDPR thoroughly and securely, and it’s vital to get your business or organisation fully compliant before the regulations come into place in May 2018. Ask us now for a Gap Analysis or GDPR project delivery.
The source for much of this information comes from “Guidelines on Data Protection Officers” a comprehensive guide on all things GDPR and a vital read for any Data Protection Officers.
You can also read our take on Equifax’s breach and lack of compliance with GDPR right here: https://activaconsulting.co.uk/activa-consulting-news/equifax-affected-under-gdpr-laws/