vectorfusionart - stock.adobe.co
In the run-up to the General Data Protection Regulation (GDPR) coming into force in 2018, the increased level of fines combined with a raft of new and enhanced data protection obligations created a big stir.
Some organisations sprang into action, mapping their data flows, polishing up policies, rolling out training and so on. Others took a much more relaxed approach – after all, they had managed to fly under the radar of regulatory scrutiny before, so why should the GDPR change that?
With the regulation having been in place for over two years now, data protection regulators have had time to get into the swing of things when it comes to GDPR enforcement. How is enforcement by data protection regulators panning out? Is it really the big risk predicted – or are there bigger risks to the bottom line?
When looking at enforcement trends, although a few whopping fines have been issued, most have been relatively modest in size. There are not all that many of them either, when you consider the large quantities of security breach notifications and complaints from individuals that data protection authorities (DPAs) across Europe have been dealing with.
The reality is that DPA fines are not the biggest threat to the bottom line. The greater threat for many businesses is the loss of confidence in an organisation once a GDPR breach, often cyber security related, becomes public knowledge. This can, and regularly does, hit share prices and drive away business.
Beware the representative claim
Another threat that is becoming more prominent, and could well eventually eclipse the risk of DPA enforcement, is the “representative claim”. The reason this needs to be taken seriously is because a representative claim does not require claimants to “opt in”. This type of claim can be brought by a person or organisation on behalf of the “wronged” class of people without their consent. No need for them to “opt in” – they are automatically “in” as long as they have a common cause of action.
This is different to other, more traditional, class action-style claims, such as the one brought by Morrisons employees following the theft and publication of their data by a vindictive employee. A claim in which, thankfully, common sense prevailed in the Supreme Court, where it was held that Morrisons could not be held vicariously liable for the actions of this rogue employee.
Kirsten Whitfield, Fieldfisher
The precedent for the representative claim was set by the Lloyd v Google case, also known as the “Safari workaround” case, which centred on transparency for data collection. This was a successful representative claim by consumer rights advocate Richard Lloyd on behalf of over four million Apple iPhone users who were held to have in common that they lost control of their data.
In this case, it was also held that individuals needn’t have suffered any financial damage to have a claim. Aside from there being no need for individuals to opt in to the representative claim, the fact that there is also no need to show any financial loss makes this very attractive to claimants for security breaches. This is because it can be very difficult to show that you suffered financial loss or other damage as a result of a particular security breach.
It is not such a big leap to see how this could be applied to large-scale security breaches, and this is exactly what has happened in the recently launched claim against Marriott International, which is being brought by a journalist relating to the compromise of a reported 339 million guest records when the Starwood hotel systems were infiltrated in 2014.
Marriott unknowingly inherited the breach when it bought the Starwood in 2016. On discovering the breach in 2018, Marriott reported it to the Information Commissioner’s Office (ICO), the UK’s data protection regulator. With numbers in the thousands and millions, just a small sum of damages per person can soon add up to astronomical sums.
What are organisations most likely to get fined for under GDPR?
Judging by almost daily headlines on data breaches, you would be forgiven for thinking that European data protection authorities have been busy since the GDPR was ushered in, issuing fines for GDPR security failings. However, when we look at enforcement across Europe – to the extent you can, given that not all DPAs in Europe make their enforcement action public – we see a different picture.
Publicised GDPR fines from DPAs across Europe have exceeded the €200m mark. Some DPAs have issued large fines in the millions of euros, such as the French and Italian DPAs, while others have doled out more modest fines in the thousands of euros, such as the Spanish DPA, which has been busy issuing a rash of smaller fines.
The majority of these fines relate to failings to respect the GDPR rights of individuals, such as the right to know what is happening with their data or the right to access it. Fines for security breaches are in the minority. When looking at the ICO’s annual report, it is surprising to see that, in the UK at least, the vast majority of the data breaches reported are not in fact cyber breaches, but non-cyber incidents instead – for example, accidental disclosures of personal data or failing to set the right access controls.
Do smaller organisations really get to fly under the radar?
It is a misconception that unless your organisation is a giant household name, you needn’t worry too much about getting fined by a DPA. Yes, DPAs are looking closely at some big companies with big data and testing their privacy mettle, but they are not the only ones drawing the eye of the DPAs in Europe. However, many smaller organisations, which most of us have probably never heard of, have landed themselves in hot water with DPAs.
It is also surprising how often failure to cooperate with a DPA’s investigation is cited in a write-up of the enforcement action taken. Had organisations been more cooperative, would their fines have been lower or even non-existent?
What are the biggest cyber security threats?
It may come as a surprise that the IBM Security/Ponemon Institute 2020 Cost of a data breach report reveals that, in the UK at least, ransomware attacks, which often receive considerable publicity (including some of it from the protagonists themselves), only accounted for 8% of those breaches for business and 10% for charities. Sadly, as a result of the pandemic forcing changes in working patterns and heavy reliance on remote working technology, this has left workforces more vulnerable to malicious attacks than ever.
Kirsten Whitfield, Fieldfisher
According to the study results, a large proportion of those surveyed thought that widespread remote working would increase not only the time it takes to identify and contain a potential breach, but also the cost of a breach. This correlation makes sense because a swift and effective breach response does help reduce the cost of a breach. This is underscored by the study, which highlights how a well-prepared incident response team can have a dramatic impact on the cost of handling a breach.
At a UK level, the Department for Digital, Culture, Media and Sport (DCMS) revealed in its Cyber security breaches survey 2020 that, on average, almost half of businesses (46%) and a quarter of charities (26%) report having some kind of cyber security breach or attack in the past 12 months.
When looking at size of organisation, the highest proportion of attacks were against large firms, at 75%, in the past 12 months. Of those breaches or attacks, by far the largest proportion were the result of fraudulent emails or being directed to fraudulent websites (86% for businesses and 85% for charities).
What impact has the pandemic had on enforcement?
From enforcement figures across Europe we also see that that pandemic has not only had an impact on cyber breach risks, but also on how DPAs have enforced during this time.
Early on, a number of regulators publicly stated that they would take the pandemic into account when considering enforcement action, albeit some with the clear caveat that the pandemic would not be an excuse for poor compliance.
In step with this, when looking at fines issued across Europe, there was a noticeable slowdown in fines from March through to May this year. The pace of fines started to pick up again from June, with DPAs seemingly getting back to business as usual when it comes to issuing fines at least.
Which data protection regulators are fining the most?
The top five countries for GDPR fines by total value, and in this order, are Italy, France, Germany, Austria and Sweden.
The UK features very low in the rankings and is nowhere near the top five at present. In fact, based on the ICO’s most recent annual report for 2019/2020, we see that when it comes to security breaches handled, 95% of UK breaches resulted in no further action being taken and only 0.03% resulted in a fine.
The ICO issued a couple of “intention to fine” press statements back in July 2019, relating to the British Airways and Marriott security incidents. Neither have been issued yet. The proposed amounts £183,390,000 and £99,200,396 respectively would have shot the UK to the top of the leader board for size of GDPR fines. In the meantime, the world was gripped by a pandemic and the circumstances of the travel and hospitality sectors look dramatically different now compared to a year ago.
A peek at the IAG half yearly results reveals that British Airways has reserved €22m for the data breach. A dramatic reduction of the originally anticipated fine. Although this is mere speculation, the changed fortunes of both organisations could well result in dramatically lower fines from the ICO.
What sector is top of the leaderboard for fines?
Particularly noticeable are the number of fines that DPAs across Europe have issued in the health sector – against healthcare providers. The ICO’s published data on enforcement action in 2020, the DCMS 2020 survey and the IBM Security/Ponemon survey findings on breach costs all point towards the health sector being particularly vulnerable.
It is easy to see how smallish organisations in this sector, with limited resources to dedicate to security and training but with responsibility for some pretty sensitive health data, could not only be more vulnerable to a security breach striking, but also DPA enforcement when it does. To compound the issue, IBM Security/Ponemon also reports that the average cost of breaches across the 524 organisations in 17 countries surveyed for their 2020 annual survey was, for the tenth year running, on average the highest in the health sector.
Have there been any fines for failing to notify breaches within GDPR required timescales?
There have been several fines from DPAs where they mention the timing of notification. Generally, however, either there was no notification at all or it was very late. A few days of delay does not appear to be a big issue for DPAs.
What are the common cyber security failings leading to fines?
Overall, DPAs are not interested in punishing organisations that tried diligently to keep up with the times and secure their systems but nevertheless failed to do so. Fieldfisher’s privacy team regularly sees clients receive a “no further action” result from DPAs when they have been able to demonstrate that they really did do what they reasonably could. After all, even with the deepest pockets, can any organisation really say their data is 100% secure?
What DPAs are really getting worked up about are failings that are often affordable and sometimes pretty basic but, for whatever reason, not implemented. For example, setting and maintaining proper internal access controls, implementing two-factor authentication to reduce the risk of malicious infiltration, holding on to data long past its expiry date and failing to carry out sufficiently detailed due diligence on providers that have access to personal data.
Read more about the General Data Protection Regulation
- Marking two years of the GDPR, industry voices weigh in on the state of data protection and privacy, consider what has changed, and what still needs to change.
- Two years after its implementation, an EU report says the GDPR is achieving what it set out to do, with a few reservations.
- On the GDPR’s second birthday, data protection lawyer Tim Hickman discusses the regulation’s teething troubles and assesses how best to maintain compliance.