momius - stock.adobe.com
GDPR taken more seriously after first fines
Security professionals believe the first big fines under the General Data Protection Regulation will get organisations to take the new rules more seriously, but will not necessarily change policies or practices
Security professionals are divided over whether the first fines issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) were appropriate, a survey shows.
While 43% of Twitter followers of security firm Tripwire polled said the GDPR fines for British Airways and Marriott International were “appropriate”, 42% said they should have been greater, while only 12% thought the penalties were too high.
In July 2019, the ICO announced its intention to fine British Airways £183m in connection with an incident in September 2018 when bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers.
The ICO announced a day later that it planned to fine Marriott International £99m in connection with a November 2018 data breach that exposed personal data contained in approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), including seven million in the UK.
Both companies have indicated that they intend to make representations to the ICO about the findings of its investigation and the proposed fines.
While the penalties are significantly greater than any previous fines issued by the ICO under former data protection laws, when monetary penalties were capped at £500,000, the poll revealed that security professionals did not believe the fines would necessarily drive any change in company policies and practices, especially in the light of the fact that they represent only around 1.5% of annual turnover for British Airways and Marriott International.
Only 25% said the fines were likely to change policies and practices, a similar proportion (22%) said they believed there would be no change, while 52% said there would be some change, but not enough. Only 29% said the fines made them more confident about their personal data privacy.
However, the most positive indication from the Twitter poll was that 60% said they believed the fines would cause their organisation to take the GDPR more seriously.
David Meltzer, Tripwire
A separate recent survey revealed that almost a third of European businesses are still not compliant with the GDPR, but there are encouraging signs of increased maturity in data protection, with the new rules driving better, business-supporting practices.
David Meltzer, chief technology officer at Tripwire, said organisations playing the waiting game on GDPR – or any other data privacy regulation – should not delay any longer.
“As we wait to see how, or if, these fines will be paid out, GDPR enforceability has caught momentum. What’s interesting about the poll results is that while these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected.
“Organisations will have to continue working for their customers’ trust. Those who have put the right amount of focus in establishing best practice fundamental security measures have a head start,” he said.
The GDPR has brought consumer trust issues around data to the fore, according to Elle Todd, partner at law firm Reed Smith.
“The largest tech companies can’t escape it and have been reacting by ensuring that privacy heads the agenda in CEO speeches and conferences. However, too few other companies have recognised the opportunity that GDPR represents to engage with users about how their data is used and to do so in a way that is compelling and different,” she said in a recent opinion piece for Computer Weekly.
Read more about GDPR
- Almost a third of European businesses admit they are still not compliant with the EU’s General Data Protection Regulation.
- Despite the fact that the GDPR has been in full effect for a year, the true effect of the regulation is yet to be felt and organisations should ensure they keep their eye on the ball, says leading privacy law firm.
- The first year of the EU’s GDPR has demonstrated the value of IBM’s investment in machine -learning-based automation and the importance of having the right strategy and systems in place.
- A year after the official implementation of the GDPR, it is important to highlight the positive opportunities that compliance provides and the insights breach reports are providing, say Deloitte consultants.