€10 million or 2% annual global turnover – whichever is higher; or
€20 million, or 4% annual global turnover – whichever is higher.
It is important to note that fines are imposed on a case-by-case basis. Now that we’re a year on from
GDPR being rolled out, it’s time to look back and reflect on its impact.
What Have We Learnt One Year on From GDPR?
GDPR has reshaped the rules of data management and marketing, making the data and email
compliance landscape much more complex. From collecting personal data via cookies so that information
can be used for marketing purposes, to storing personal data, explicit consent must be given by the
individual, and sometimes more than once.
Alongside this, individuals will have the right to submit a SAR (Subject Access Report) request to
businesses. Under GDPR, employers must respond, “without undue delay and in any event within one
month of receipt of the request.” This shortened the previous 40 day limit required under the DPA (Data
Protection Act).
What’s interesting is that a recent survey had shown that three-quarters of UK organisations failed to
address personal data requests within the 40 day period, with some businesses not even responding to
consumer and employee requests at all. Alongside this, according to Corporate Counsel, there have been
59,000 data breaches reported in the EU since the introduction GDPR, including 10,600 breaches from
the UK.
Despite the warnings presented in the lead up to the introduction of GDPR, there have been a number
of data scandals over the past year. The European Data Protection Board, stated that since May 25th
2018, 206,326 data breaches were reported by supervisory authorities in the first nine months of the
GDPR being rolled out. Alongside this, authorities in 11 EEA countries issued administrative fines totalling
€55,955,871. In 2018 alone, the supervisory authorities in Germany handed out a total of 41 fines.
Uber - November 2018
In November 2018, Uber were fined £385,000 for paying off hackers who had stolen the personal details
of 2.7 million UK customers. Uber hadn’t informed their customers about the breach.
Using “credential stuffing” (injecting usernames and password pairs into sites until they found a match),
the hackers had accessed Uber’s cloud-based storage system and downloaded names, phone numbers
and emails of customers, as well as 82,000 driver records. Following this, Uber paid the attackers a
$100,000 ransom so that they would destroy the data, but it took them more than a year to tell the affected
customers and drivers.
Due to the size of the breach, the sensitivity of the data stolen and the length of time it took Uber to notify
those who were affected, they were fined £385,000. Alongside this, 174,000 people in the Netherlands
were also affected, leading the DPA (Dutch Data Protection Authority) to impose a separate £532,000.