Written by

Bernard Marr

Bernard Marr is a world-renowned futurist, influencer and thought leader in the fields of business and technology, with a passion for using technology for the good of humanity. He is a best-selling author of 20 books, writes a regular column for Forbes and advises and coaches many of the world’s best-known organisations. He has over 2 million social media followers, 1 million newsletter subscribers and was ranked by LinkedIn as one of the top 5 business influencers in the world and the No 1 influencer in the UK.

Bernard’s latest book is ‘Business Trends in Practice: The 25+ Trends That Are Redefining Organisations’

View Latest Book

Follow Me

Bernard Marr ist ein weltbekannter Futurist, Influencer und Vordenker in den Bereichen Wirtschaft und Technologie mit einer Leidenschaft für den Einsatz von Technologie zum Wohle der Menschheit. Er ist Bestsellerautor von 20 Büchern, schreibt eine regelmäßige Kolumne für Forbes und berät und coacht viele der weltweit bekanntesten Organisationen. Er hat über 2 Millionen Social-Media-Follower, 1 Million Newsletter-Abonnenten und wurde von LinkedIn als einer der Top-5-Business-Influencer der Welt und von Xing als Top Mind 2021 ausgezeichnet.

Bernards neueste Bücher sind ‘Künstliche Intelligenz im Unternehmen: Innovative Anwendungen in 50 Erfolgreichen Unternehmen’

View Latest Book

Follow Me

GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been)

2 July 2021

Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who experience a significant data breach won’t just be dealing with a public relations snafu and financial strain brought on by the breach, but will also face large fines mandated by the regulation. To get a sense for what the GDPR means for companies, we will review a few of the world’s largest data breaches and the implications if GDPR penalties would have been in place at the time of the breach.    

GDPR Overview

The European Parliament approved the GDPR in 2016 with the intent of consolidating data privacy laws across Europe and to protect EU citizens’ privacy in an increasingly data-driven world. The GDPR covers ALL companies who process the personal data of those in the EU regardless of where the company is located. In addition, penalties for a breach are serious for both data controllers and processors. Companies must use clear language to obtain authorization from an individual to use their data. No smoke and mirrors or confusing legalese is allowed. Companies must also notify individuals that their data was potentially compromised within 72 hours of realising a data breach occurred; data processors are also required to notify their customers “without undue delay.” Additional requirements make it easier for individuals to learn how their data is going to be used and processed, request data erasure and receive the personal data that organisations collect.  

And then there are the substantial fines and penalties mandated by GDPR for non-compliance with the regulation. There are two tiers of fines: Up to 10 million pounds or 2% of annual global turnover (revenue) of the previous year, whichever is higher and up to 20 million pounds or 4% of annual global turnover, whichever is greater. It is expected that breaches of data subjects’ rights will result in the higher level fine, although many factors will help determine the actual fine including the duration and gravity of the infringement and the types of personal data affected. The level of cooperation and behaviour of the organisation will also play a role in influencing the final fines.

Data Breaches and the Impact of GDPR

Let’s take a look at some of the largest data breaches that have occurred and use them to illustrate how GDPR would have impacted the companies if it had been in effect at the time of the breach. 

Yahoo

At the time that 3 billion user accounts had been breached at Yahoo in 2013-2014, it represented the largest data breach in history. Not only was the scope significant, the company didn’t disclose the breadth of the breach within 72 hours like the GDPR requires; in fact, it took them until October 2017 to fully acknowledge the extent of multiple breaches that occurred in 2013-2014. With revenue in excess of $4 billion for 2012, Yahoo would have faced millions of dollars in fines if GDPR would have been in place—$80 million but potentially as much as $160 million depending on the variable factors of GDPR including the culpability of the company and how cooperative they were.

eBay

Even though the time between eBay discovering its data breach that impacted 145 million eBay users in 2014 and notification to consumers was relatively short—the breach was discovered in early May, but the company notified its users later in the month—it still wasn’t within the 72-hour requirement of GDPR. Although names, addresses, date of birth and passwords were compromised, the financial information remained secure. At the time, the company was criticised for the lack of communication and trouble with its password-renewal process, but ultimately, since the financial info wasn’t compromised, it could mean the fines would have been lower. It’s turnover for 2013 was $6.6 billion, so they wouldn’t have qualified for the lower 10 or 20 million pounds fine.

Equifax

As one of the largest cyberattacks of 2017 (that we know of so far), the personal information of 143 million consumers was compromised and an additional 209,000 also had their credit card data exposed when a breach was discovered in July. The company failed to meet the 72-hour notification requirement of the GDPR when they made the breach public in September. They did launch a website so consumers could cheque if their data had been compromised and offered credit monitoring for all U.S. Consumers, so they may have received high marks for their cooperation and action post breach; however, they would still qualify for the higher-level fine due to reporting $3.1 billion in revenue for 2016.

As these examples illustrate, companies will face grave consequences and fines when data breaches occur when GDPR goes into effect. The regulations are strict and all companies doing business in or with citizens of the EU need to be sure they have processes in place to meet the GDPR requirements now.


Business Trends In Practice | Bernard Marr
Business Trends In Practice | Bernard Marr

Related Articles

The Best Smart Watches In 2023 / 2024: From Blood Sugar Monitoring To AI Personal Training

Apple popularized the smartwatch, just as it did with the smartphone when it released the Apple watch in 2015.[...]

The Amazing Ways Snowflake Uses Generative AI For Synthetic Data And Natural Language Queries

You probably know that the new generation of generative AI tools that have exploded onto the scene can generate words, pictures and even videos that closely resemble those created by humans.[...]

The Role of Data Storage in Accelerating Time-to-Insights

When it comes to data and analytics, time is money. According to research by IDC, 75 percent of business decision-makers believe data loses its value within days.[...]

6 Roadblocks Stopping Web3 And The Metaverse Becoming A Reality

With the emergence of the metaverse and web3 technologies, it’s clear that the next evolution of the internet is already underway.[...]

The Future Of Factories: 3 Ways To Navigate The Industrial Metaverse

What is the industrial metaverse, you ask? Well, we’re not talking about a separate metaverse exclusively for manufacturers..[...]

The Five Questions Every CEO Must Answer About Sustainability

The future of business is green. As a CEO, the ball is in your court to make sustainability an integral part of your corporate strategy.[...]

Stay up-to-date

  • Get updates straight to your inbox
  • Join my 1 million newsletter subscribers
  • Never miss any new content

Social Media

0
Followers
0
Followers
0
Followers
0
Subscribers
0
Followers
0
Subscribers
0
Yearly Views
0
Readers

Podcasts

View Podcasts