GDPR and data breaches鈥攕taying compliant

GDPR and data breaches鈥攕taying compliant

Last year saw the Information Commissioner鈥檚 Office hand out more than just a 鈥榮lap on the wrist鈥 with companies such as Facebook and Equifax receiving fines of up to 拢500,000 for data breaches. However, earlier this week, both British Airways and Marriott International received proposed fines of 拢184m ($230m) and 拢99m ($125m) respectively, following the introduction of the EU鈥檚 General Data Protection Regulation (GDPR) in May 2018.

Prior to May 2018, the UK followed the Data Protection Act 1998, in which the maximum fine equalled 拢500,000. But with the introduction of the GDPR companies can now be liable to pay penalties of up to 4% of their turnover.

The data protection breaches

The large fines have been proposed for the following:

  • British Airways experienced breaches in September/October 2018 which enabled attackers to re-route customers into a fraudulent website, subsequently exposing the personal details of 500,000 customers
  • Marriott International鈥檚 failed to stop a breach which spanned over four years, exposing approximately million customer records from across the globe

Although the announced fines are only proposed and not final, they act as a stark reminder and lesson to companies to not only ensure they are data compliant, but also check the third parties they are using.

Andr茅 Baywater, Partner at Cordery Breach Navigator, also noted in an article for : 鈥淥rganizations clearly need to undertake thorough due diligence when making a corporate acquisition鈥or example, during the due diligence process, a buyer will need to investigate the target business鈥 data protection compliance, including its security systems, and when negotiating a share purchase agreement or asset purchase agreement including post-migration of personal data.鈥

Stay GDPR compliant with Cordery

As revealed by the British Airways and Marriott breaches, it can be very difficult to stay protected and compliant. Not only are data breaches complex business events, but they also can have far-reaching financial and reputational consequences鈥攕o staying compliant and managing incidents well is essential.

gives you the expertise, discipline and support to help you make the right decisions on risk and GDPR reporting requirements. Applicable for organisations of all sizes, the tool is there to support Data Protection Officers (DPOs) who are tasked with designing and implementing processes that can respond to a dynamic set of risks and instil confidence in senior management. The powerful software tool combines legal expertise with clever software to help DPOs and their teams deal with potential and actual data breaches in a consistent, informed manner using the very latest best-practice techniques.

For more information on GDPR see Lexis庐PSL Practice Note on . Click here for a free trail.

Click to explore the full capabilities of our Cordery tool.


Related Articles:
Latest Articles:
About the author:

Hannah is one of the Future of Law blog鈥檚 digital and technical editors. She graduated from Northumbria University with a degree in History and Politics and previously freelanced for News UK, before working as a senior news editor for 老司机午夜福利.