The General Data Protection Regulation (GDPR) is a set of data protection regulations that were introduced in the European Union in 2018. These regulations apply to all organisations that process personal data of EU residents, including those in the United Kingdom.
Since the UK was a member of the EU when the GDPR was introduced, it adopted the regulation into its national laws through the Data Protection Act 2018. The UK’s Information Commissioner’s Office (ICO) is responsible for enforcing GDPR compliance in the UK.
While it’s still relatively early to make a definitive assessment of the success of GDPR in the UK, it has undoubtedly had a significant impact on data protection practices. Organisations now have to be more transparent about the data they collect, how it is used, and who it is shared with. Individuals also have more control over their personal data, including the right to access, correct, and delete their information.
The ICO has also taken a more active role in enforcing GDPR compliance, with increased powers to issue fines for data breaches and non-compliance. In the first year after GDPR came into effect, the ICO issued several high-profile fines, including a £183 million fine to British Airways and a £99 million fine to Marriott International.
Overall, while there have been some challenges and criticisms of GDPR, it has been successful in raising awareness about the importance of data protection and holding organisations accountable for their handling of personal data.
Here are the top 10 fines issued in the UK under GDPR as 2021:
1. British Airways – £20 million ($26 million) – 2020: The airline was fined for failing to protect customers’ personal and financial data during a cyber attack in 2018.
2. Marriott International – £18.4 million ($23.8 million) – 2020: The hotel chain was fined for a data breach that exposed the personal information of up to 339 million guests worldwide, including 7 million UK residents.
3. Ticketmaster UK – £1.25 million ($1.6 million) – 2020: The ticket sales company was fined for failing to protect customer data during a cyber attack in 2018 that affected 9.4 million customers across Europe.
4. Dixons Carphone – £500,000 ($645,000) – 2020: The electronics retailer was fined for a data breach that exposed the personal information of 10 million customers, including 5.9 million payment cards.
5. Bounty UK – £400,000 ($516,000) – 2019: The parenting club was fined for illegally sharing personal data of more than 14 million people without their consent.
6. Equifax Ltd – £500,000 ($645,000) – 2018: The credit reporting agency was fined for a data breach that exposed the personal information of up to 143 million people worldwide, including 15 million in the UK.
7. Facebook – £500,000 ($645,000) – 2018: The social media giant was fined for failing to protect users’ personal data in the Cambridge Analytica scandal, which affected up to 87 million people worldwide.
8. Uber – £385,000 ($497,000) – 2018: The ride-hailing company was fined for a data breach that affected 57 million customers and drivers worldwide, including 2.7 million in the UK.
9. Heathrow Airport – £120,000 ($155,000) – 2018: The airport was fined for failing to secure personal data on a lost USB stick, which contained confidential information about security measures at the airport.
10. Gloucestershire Police – £80,000 ($103,000) – 2018: The police force was fined for sending a bulk email that revealed the identities of victims of child abuse to hundreds of people by mistake.
It’s worth noting that fines for GDPR violations can be up to 4% of a company’s global annual revenue or €20 million, whichever is greater. However, the fines issued so far have been considerably lower than the maximum possible penalty.
What Can You Do As a Business?
1. Appoint a Data Protection Officer (DPO): Under GDPR, certain businesses are required to appoint a DPO to oversee data protection activities. Even if your business is not required to appoint a DPO, having someone in charge of data protection can help ensure that the right policies and procedures are in place to protect personal data.
2. Implement data protection policies and procedures: Businesses should have clear and comprehensive data protection policies and procedures in place to ensure that employees understand how to handle personal data in compliance with GDPR. This can include policies on data security, data retention, and breach notification.
3. Conduct a data protection impact assessment (DPIA): A DPIA is a process that helps businesses identify and mitigate risks associated with their data processing activities. Conducting a DPIA can help businesses identify areas where they need to improve their data protection practices.
4. Provide training for employees: Employees should be trained on GDPR and data protection policies and procedures. This can include training on how to handle personal data, how to identify and report data breaches, and how to respond to data subject requests.
5. Implement technical and organisational measures: Businesses should implement technical and organisational measures to protect personal data, such as encryption, access controls, and regular backups. These measures can help prevent unauthorised access, accidental loss or destruction, and other types of data breaches.
6. If you cannot shred it, put it somewhere safe. See our range of shredders here and our safes here. It’s not just about paper, data can be stored on USB’s and mobile phones which can all be destroyed. We also offer a full destruction service for these type of devices.