Brave New World: GDPR’s First Victims?
It has been just over a month since the General Data Protection Regulations (GDPR) were rolled out across Europe. Since then, Dixons Carphone and Ticketmaster have both announced high-profile data breaches. Steve Kuncewicz looks at what the fallout could be for these organisations in light of the new regulations.
You’d be forgiven for thinking that 25 May 2018 signalled the end of days. Endless news reports and think pieces frantically exclaimed that the new General Data Protection Regulations (GDPR) could cripple businesses across Europe. Marketing emails pleading with you to “opt-in” reached fever pitch (and many acted as their own “opt-out”). Customers across the continent were seemingly delighted, dreaming of a future free from spam emails. We could but hope.
Despite the potential compliance headache GDPR induced for many organisations (despite being a re-statement of legislation that’s the best part of 20 years old), it's a necessary by-product of a government-mandated step towards properly protecting and regulating the use of consumer personal data. GDPR is intended to guard those”watch the watchmen” who use services which involve data collection, allowing control and sight of what, where and how an individual “data subject's" personal information is stored and saved.
The discussion around GDPR has arguably identified a dichotomy between the helpless consumer and the omnipresent, data-hungry company – undermining the tricky position many businesses now find themselves in, least of all cutting them off from customers who failed to “opt in”, regardless of the number of plaintive e-mails sent and received. GDPR has forced organisations to ensure that data protection policies are fit for purpose and that any use (or “processing”) of personal data is completely transparent – a costly and time-consuming process – or otherwise face the potential of substantial financial punishment, coming either in a potential fine from the ICO (as Facebook is now facing) or civil claims for misuse or the compromise of personal data. Reputational damage will also follow for those not committed to the new(ish) world data order.
When it comes to compliance, in the first month we saw the Information Commissioner’s Office (ICO) record a sharp rise in breach notifications and complaints; the French data protection regulator has seen complaints double on the previous year. So what is to be said of Dixons Carphone and Ticketmaster, two companies which have recently announced significant breaches post GDPR?
When Dixons Carphone announced a breach that had left data on an estimated 5.9 million of its customers compromised, it had been just over two weeks since GDPR came into full force – and the company was likely still in the midst of its own GDPR compliance project.
This isn’t a first-time offence. In January 2018, the ICO issued one of the its largest-ever fines (£400,000) after personal data on three million Dixons Carphones customers and 1,000 employees was left compromised following a 2015 cyber-attack that exposed what were categorised by the ICO as fundamental failings in basic information security procedures.
Questions continue to be raised over which level of potential fine this most recent breach will be held accountable to. In a pre-GDPR world, the maximum fine imposed could be up to £500,000 according to the 1998 Data Protection Act (DPA). Post-GDPR, Dixons Carphone could face fines of up to £17.6 million, or four per cent of its annual turnover. Yet, the breach technically occurred before 25 May - meaning the company will be likely be judged according to the previous (financially more lenient) regulations.
Dixons Carphone is not, however, by any means in the clear; against a backdrop of a potential second fine from the ICO, with media reports around investors being warned the company is “barely profitable”. With plans under way to shut over 90 Carphone Warehouse sites, the message to other businesses is clear: cyber security needs to be top of the agenda, and basic security is no longer enough. Profit warnings tied directly into the fallout of this and the previous data breach, demonstrating the cost of profitability as eternal vigilance.
Ticketmaster is in a more complex position. This June, the platform discovered that a malware attack on a third-party vendor had allowed hackers access to customer names, addresses, card details and log-ins. Customers who had used the service between September 2017 and June 2018 were alerted (likely based upon the potential seriousness of the breach and its effect upon customers), so it is appears the breach is theoretically open to judgement from under the DPA and its far harsher GDPR descendent.
Whilst the ICO continues to gather evidence on this breach, it is yet to announce how under which regime any penalty will be decided.
Another complicating matter for Ticketmaster is the length of time left between discovering the breach – 23 June – and communicating to customers that they had been affected – 27 June. Under the GDPR, companies must inform customers without “undue delay” and alert the ICO within 72 hours in the event of a “serious” breach, or risk a potential fine equivalent to up to two per cent of annual turnover, or up to €10 million.
Clearly, there’s some way to go to ensure that most organisations are fully GDPR-compliant. The sheer magnitude of full compliance can be daunting to businesses of all sizes, and breaches – particularly malicious cyber attacks – appear to be more common-place and almost inevitable. Due diligence is critical for protecting consumers, employees and businesses. GDPR isn’t intended to trip companies up; rather it is there to ensure that the integrity of personal data is respected in a world that demands more and more of it where it continues to be the most valuable new commodity.
Surely that’s something we can all “opt-in” to?
Disclaimer: This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of BLM. Specialist legal advice should always be sought in any particular case.