There has been a lot of publicity around the first substantial fines issued by the Information Commissioner’s Office under GDPR. The international hotel group Marriott has been fined nearly £100 million as a result of hackers stealing the records of 339 million guests, and British Airways recently received a £183 million fine after a hack compromised the personal data of half a million of its customers.
These fines received a lot of publicity due to their size, which is a direct result of the implementation of GDPR just over a year ago. Under the old Data Protection Act the maximum fine the ICO could impose was £500,000. In contrast, the maximum fine under GDPR is 4% of annual turnover. The BA and Marriott fines both represent 1.5% of their respective turnovers, so both fines could have been significantly higher. This ‘leniency’ is most likely in recognition of the fact that both companies cooperated fully with the ICO’s investigations.
The stakes are now extremely high for any company that holds customer data. In the case of Facebook and Google, both currently under investigation by the ICO, fines of 4% of turnover would be up to $5 billion for Google and $2.2 billion for Facebook (based on their annual revenue in 2018). Compare this to the £500,000 fine levied against Facebook for its role in the Cambridge Analytica scandal – a drop in the ocean for a company of Facebook’s size. Indeed, the ICO made it clear at the time that it would have imposed a much higher fine, had it had the power to do so.
Data protection complaints have almost doubled year-on-year since the introduction of the GDPR, from 21,019 to 41,661, showing that consumers are now much more aware of the rights they have relative to their data, and much more prepared exercise those rights.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” says the Information Commissioner, Elizabeth Denham.
These fines serve as a warning to any company holding personal data on its customers. If you hold customer data you need to ensure that your cybersecurity processes and systems are both robust and up to date, as these fines show that breaches can have massive financial consequences.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold” said the ICO. Rulings in both these cases suggest that the ICO is planning to focus on companies that it sees as having been lax in their responsibilities. “If…you didn’t remedy the system, and you had lots of chances, that’s where the ICO might punish more” says Chet Wisniewski, a UK-based cyber security expert.
The change in companies’ attitudes towards customer data is clear. Previously companies have tended to have a ‘the more, the merrier’ approach to storing customer data, viewing such data as a huge corporate asset. However, the size of these fines shows that holding customer data, if you cannot effectively protect it, can actually be a massive corporate liability and one with very significant financial consequences. We may now see companies being more selective about the data they chose to hold. The more data you have, the more robust your security regime needs to be and the greater the risk you’re exposed to should something go wrong.
Ultimately this may lead to companies adopting more of a ‘if you don’t need it, don’t store it’ approach – something that we at Syntec have always advocated. If you’re taking payments over the phone and storing those card details in your system, you’re exposing yourself to a potentially massive risk in the case of a breach.
In fact, GDPR requires that “appropriate technical and organizational measures be taken to ensure that the requirements of this Regulation are met”. In theory therefore, if there are technical and organizational measures available to avoid holding data at all then these should be deployed.
And, with PSD2 likely to increase the number of customers looking to make payments by phone the importance of those measures is likely to increase.
Our CardEasy secure keypad payment by phone system enables you to take completely secure payments by telephone without the customer’s card details ever entering your own system. You can’t be at risk of a breach of card payment data because you’ll no longer hold that data (and you will also be seen to have adopted ‘appropriate technical measures’ to be compliant).
As payment security expert Kevin Dowd wrote on our blog back in 2015, “If you don’t need the data, don’t touch it.” Now, with the implementation of GDPR, perhaps the message that ‘less is more’ is finally getting through when it comes to customer data.