GDPR – data breach penalties

You could almost imagine that GDPR has disappeared off the face of the Earth now the clamour has died down.

Not so!

Which is why we invited data protection expert Karen Heaton to share with us some of the practical issues that we all still need to think about.

In her second article on GDPR in the real world, Karen looks at data breach penalties.


We all know about the potential for huge fines from the new EU General Data Protection Regulation (GDPR) and now the UK Data Protection Act 2018.  These have been grabbing headlines for over a year in the lead up to Implementation-Day of 26th May 2018.

Most headline penalties are based on the highest maximum level of fines 4% of global annual turnover or Euro 20m, whichever is higher.  But there is also a standard maximum level, which is 2% of global annual turnover or Euro 10m.  Yes, both are hefty penalties – as they apply to turnover, not profits.

Higher level penalties can apply to any failure relating to: the data protection Principles; rights of the individual and data transfers to third countries.

Standard maximum level penalties can apply to infringement of administrative requirements of the regulations.  So, breaches of controller or processor obligations, for example.

The size of the penalty will depend on a number of factors:  the behaviour of the organisation; what steps have been taken to be compliant; how this can be demonstrated to the ICO and whether the organisational culture takes data protection seriously.

So, let’s look at some recent data breach penalties:

Heathrow Airport data breach loss of a USB stick in Oct 2017 – penalty of £120k was levied under the previous Data Protection Act 1998. The investigation by the ICO found:

  • only 2% of the 6,500 strong workforce had been trained in Data Protection
  • there was widespread use of removable media (eg USB sticks, CDs) which contravened the company’s guidance
  • ineffective controls were in place to prevent personal data from being downloaded onto unauthorised or unencrypted (removable) media

Bayswater Medical Centre – left sensitive data in an empty building in July 2015 – penalty of £35k levied under the previous Data Protection Act 1998. The investigation by the ICO found:

  • The data was left from July 2015 – February 2017 during which time access to the building was granted to other organisations. Emails to the medical centre about the unsecured data had not been actioned.
  • Examples of how poorly the data was secured in the empty building:
    • Patient identifiable data was lying on a desk and in a bin in one of the consultation rooms
    • Medical records stored in 2 unlocked cabinets with the keys left in the locks
    • Boxes of prescribed medication containing patient identifiable information left throughout the premises
  • The ICO found that the Centre had:
    • Failed to adhere to its own policies regarding security of medical records, patient confidentiality and confidential waste disposal
    • Failed to take adequate physical measures to secure the building
    • Failed to take any or any sufficient measures to secure the physical security of patient identifiable data in the building

Bupa Insurance Service Limited has been fined £175k for failing to have sufficient measures in place to protect customers’ personal data.

  • Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.
  • Bulk data reports were sent to his personal email account
  • Bupa was alerted to the breach on 16 June 2017 by an external partner – this was not picked up by their controls
  • Bupa did not routinely monitor the system’s activity logs

What does this mean for your organisation?

Well, a number of risk reduction steps should be taken:  staff training in data protection;  data handling guidelines; security procedures – physical and electronic;  encryption of removable devices; restriction of data downloads; understanding your role – Controller/Processor;  Data breach procedures;  being able to demonstrate compliance with data protection regulations; building a culture of taking data protection seriously.  There’s more.  See our checklist!


Today’s fact.  The ICO quarterly statistics on reported data security incidents found that in Q4 2017, four of the five leading causes (cases where the ICO took action) involved human errors and process (control) failures.

=> Employee training and data handling guidelines are ‘must haves’ for organisations processing personal and Special categories of data eg – Medical data/ child data.

See you next week!