Are the big GDPR fines finally coming into land – and does it matter?
My GDPR fines prediction came true earlier than expected…although I wasn’t brave enough to put it into my book “The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection“.
Prior to the 2018 GDPR go-live date many of my clients all asked the same question asking me to predict:
The same question was being discussed in forums and at conferences with subject matter experts making various predictions. Tim Turner for example back in Aug 2018 stated:
Whilst I won’t dwell too much that Tim’s statement, in itself, is a logical fallacy in risk management, it did buck the prevailing opinion at the time; predominantly from sellers of training, services and one-stop IT systems. The typical claim being that on May 26th, anyone who wasn’t compliant with GDPR would be instantly slapped with massive GDPR fines to the tune of 4% of their worldwide annual turnover. Hopefully, most people took these exaggerated claims with a sizeable pinch of salt.
My own GDPR fines prediction
So what was my prediction? Well, based on previous major data breaches (such as the TalkTalk breach) I hypothesised that, it seems to take the ICO around 12-18 months from a major incident occurring, to the ICO carrying out an investigation and subsequently issuing a fine…and then of course the inevitable appeal wrangling for reduction of the original fine amount. Therefore, if there were to be an in-scope breach on the 26th May 2018 it would likely be between May and November 2019 before a large fine would be finally agreed. In the case of the TalkTalk data breach in 2015, the ICO took 10 months to investigate, awarded the maximum fine which was subsequently reduced downwards by 20% (although the £400k fine pales into insignificance compared with the £77million estimated total cost!). The TalkTalk fine was under the old rules.
British Airways fined £183million
Now we are well and truly into the GDPR regime and 10 months after British Airways reported their website had been hacked in late August 2018, the ICO has concluded its investigation and issued an [initial] whopping £183million fine. The fine amounts to 1.5% of BA’s £12.2billion 2017 worldwide turnover. Now BA’s parent company is IAG which, if the fine was awarded at the group level, would make the fine 1% of the IAG’s worldwide turnover for 2017. So whilst this fine is significantly larger than under the previous data protection rules, the fine is still a lot lower than the theoretical maximum (estimated to be just over EUR800million or £716million).
Not the first fine under the new GDPR rules
Whilst the BA fine is the first major GDPR fine issued by the ICO, it is not the first major GDPR fine to be issued under the new data protection rules. In January 2019 (only 8 months after the complaints were received in late May 2018) the French data protection regulator (CNIL) were quick to wield their new powers and issued a EUR50million fine against Google. Given Google’s annual turnover for 2017 was US$136.2billion the fine only amounted to a tiny 0.04% of the theoretical maximum. It’s also worth taking into consideration, the fines were issued for different reasons and so a direct comparison cannot be legitimately made but what may be ascertained is that the regulators are finding their feet and under the right circumstances will issue large fines for the most serious of data breaches.
So do GDPR fines like the BA fine represent a step change in data protection enforcement?
It can’t be argued this enforcement action against BA is a material change but one swallow a summer does not make. Under the new rules, BA are potentially [appeal pending] facing a fine 366 times that which could have been expected under the old regime. Under the old regime, larger companies looking at data protection through an operational risk management lens may have put the fine through a model and found it to be a risk they could accept. If they did, they perhaps would be doing so without considering the bigger picture. Fines are only a small part of the puzzle.
What a focus solely on fines can do is distract organisations from taking into consideration the other costs associated with a data breach, those not related to cooperating with an ICO investigation. Companies may not necessarily get slapped with the maximum theoretical fines but the additional costs to their businesses should certainly be a focus of the Board. Senior leadership teams should be asking their governance teams what is the estimated total cost of a data breach, not simplistically modelling discounted GDPR fines after appeal. Legal costs, lost customer sales, implementing new systems, lost opportunity costs are all likely to contribute to a hit at the bottom line.
What is the estimated total cost of a data breach, in addition to a fine?
Even under the old system, whilst fines were small, they formed only a small part of the total cost of a data breach. Equifax may have only received a fine of £500k by the ICO but the estimated cost of their data breach is currently estimated to be circa $1.4billion and counting!
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy, which in addition to offering GDPR advisory services, provides vCISO and Data Protection as a Service. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both 8×10 paperback and Kindle eBook
About Fox Red Risk:
Fox Red Risk is a boutique data protection and cyber security consultancy which, amongst other things, helps client organisations with data protection and information security risk management. Call us on 020 8242 6047 contact us via the website to discuss your needs.
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning