July 22, 2019

GDPR Enforcement Is Getting Serious

In May 2018, the General Data Privacy Regulation was introduced, tightening regulations related to the use of customer data. And let’s emphasize GDPR not only applies to organizations located in the EU but also organizations, regardless of location, that process and store personal data of subjects residing in the EU.

In the past weeks, the Information Commissioner’s Office (ICO) has been sending a strong message to companies that fall under GDPR- get your security practices in place or be prepared to suffer the consequences. The two most recent examples of the ICO wielding their power was felt by British Airways and Marriott.

“When you are entrusted with personal data you must look after it.”

ICO Commissioner Elizabeth Denham

Between 2014 and 2018 Marriott had 383 million customer records compromised as hackers maintained a presence on the Starwood guest reservation database. The ICO is seeking $124 million from Marriott equaling 3% of their annual revenue. Under GDPR, fines up to €20 million, or 4% of the annual revenue of a company, whichever is higher, can be issued for infringements.

British Airways suffered a breach in September 2018 when attackers accessed the data of nearly 500,000 customers through the airline’s website and mobile applications. The ICO, siting infective security measures, has fined British Airways $230 million- a fine they plan to appeal.

What’s a company to do?

Given the growing threat of cyber-attacks and now the regulations that will be enforced with economic consequences, it comes as no surprise that cybersecurity spending is on the upswing. Dark Reading published a round up of 2019 cyber-security spending outlooks where Gartner, Forrester, and InformationWeek all agreed on three drivers when it comes to cyber spending.

  1. Security risks
  2. Business needs
  3. Industry changes

According to Gartner cyber-security experts, while general IT spend will grow by about 3.2% in 2019, spending on IT security will increase 8.7% this year- an increase of $124 billion!

We will wait and see in the weeks and months to follow the next round of companies getting hit with substantial fines from the ICO. And we’ll also see if having economic damage forces companies to change their security practices for the better. For small and medium enterprises this will be particularly interesting to observe given the complexity of GDRP coupled with budgeting concerns following a violation. These smaller sizes businesses must take GDPR just as serious as giants like Marriott and British Airways, as large GDPR fines could cause unrecoverable damage when a business is unable to absorb the cost.

GDPR was designed to strengthen the rights of consumers and allow them to know what organizations are doing with their data- and these recent fines are proving that organizations are not always acting in the best interests of their customers.