Cloud Backup

We`re just sending through your details

Please give us a few moments whilst we get your account ready.


When Will We See The First GDPR Mega-fines?

When Will We See The First GDPR Mega-fines?

posted in Cyber-Security ● 19 May 2016

The General Data Protection Regulation (GDPR) came into effect several months ago, threatening to change the way organisations look after data forever. The run up to the regulation taking effect, on May 25th, saw headlines that promised huge-fines, major overhauls and organisations panicking to delete data. In reality, since the GDPR has become fully effective there have been no major incidents for the ICO (Information Commissioner’s Office) to deal with.

Well documented, the ICO now has the ability to levy a financial penalty of up to £17 million or 4% of global revenue, whichever is higher, for a major breach. However, the ICO has shown in the past a reluctance to fine organisations and would rather issue an enforcement notice or an undertaking.

An enforcement notice or an undertaking when issued by the ICO, or another supervisory authority, means that organisations must take action to improve data protection or run the risk of a fine. An undertaking commits an organisation to a particular course of action to ensure compliance while an enforcement notice means an organisation must take (or not take) specified steps to comply.

Fines under the previous Data Protection Act, could be levied up to £500,000 and the ICO only ever issued fines of £400,000 a handful of times. Fines are justified by the level of the breach that has occurred, with the largest and most serious breaches receiving larger fines. With the multitude of threats that organisations face, how long will it be until the first mega-fine under GDPR occurs?


Facebook put themselves at risk

Facebook is one of the world’s most well-known organisations and love them or hate them, you’ve heard of them. Public opinion in 2018, has taken a down-turn for the company as data protection is at the forefront of more people’s minds and they have continually failed to protect highly sensitive user data. This failure has prompted changes for the company, with founder Mark Zuckerberg publicly apologising for the company’s failings. As expected, breaches have also prompted investigations by regulatory authorities including the ICO.

What happened?

In early 2018, it was revealed that a major data breach had occurred relating to the misuse and collection of user data held by Facebook. A number of allegations into how data was collected and used arose, much of which had ties to political issues in 2016 such as the US presidential elections and the Brexit vote in Britain. Cambridge Analytica was at the heart of allegations as one of the organisation who harvested user data. The organisation was able to access user data through a number of applications including quiz app ‘This is your digital life’, however due to a loophole in Facebook’s API (Application Programming Interface) the designers of the app could then view and access data of friends of users of the app. It is estimated that over 50 million users of Facebook had their personal data collected in this manner.

The fallout

This breach fell under the Data Protection Act (DPA) and therefore Facebook avoided the potentially huge financial penalties of the GDPR. The ICO however did fine the company the maximum amount under the DPA of £500,000 although with Facebook earning this amount in revenue in under 10 minutes in the first quarter of 2018 it potentially acts of more of a future warning than financial burden.

                Under the GDPR Facebook could have faced a fine of up to £1.4 billion.

Elizabeth Denham, the Information Commissioner, commented on the fines, saying:

“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act… Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system… This was a very serious contravention, so in the new regime they would face a much higher fine.”


First of the mega-fines

Now that the GDPR is well in effect organisations face the possibility of a seven-figure fine for non-compliance. However, it remains to be seen what circumstance this fine may come under. The ICO may look to set an early example if a breach occurs in the remainder of 2018 or they could keep fines more closely in line with previous fines, only crossing the barrier to millions when the most serious offenses occur.

On-going compliance with the GDPR and data protection laws is a must for all organisations. Not only will compliance help with organisations to avoid hefty fines should a breach occur but will also help to strengthen protection and minimise risk of a breach. Download the whitepaper to learn more about on-going compliance with the GDPR now. Download here.

Cyber-attack on The Works is a warning to others

The recent cyber-attack on discount retailer The Works, emphasises the need for organisations of all sizes to invest in ransomware prevention measures.

Continue reading

Redstor Appoints Channel Leader Mike Hanauer as CRO to Spearhead Global Sales Expansion

Reading, April 28, 2022 – Redstor, the cloud-first backup platform of choice for MSPs, today announced the appointment of accomplished channel sales executive Mike Hanauer in a newly created role of Chief Revenue Officer (CRO). Known across the market for his revenue-generating successes with top data protection, recovery and security companies, Hanauer will spearhead global expansion plans for Redstor’s category-leading SaaS platform.

Continue reading

What is the Digital Operational Resilience Act?

The Digital Operations Resilience Act (DORA) is the European Union’s attempt to streamline the third-party risk management process across financial institutions.

Continue reading

Download The Ultimate MSP Growth Guide

  • This field is for validation purposes and should be left unchanged.