On July 8, 2019, EEA authorities issued a fine against British Airways for 2.5 percent of their global total revenue (US$226 million) for not adequately protecting PII under GDPR. Hackers exploited a vulnerability on British Airways’ website to implant malware. This malware was used to steal the PII of 500,00 individuals, including names, travel itineraries and payment data. When announcing the record GDPR fine, EEA authorities stated:
“Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Statements like these suggest that GDPR enforcement agencies will push towards the 4% maximum fine amount; however, no empirical analysis has been conducted to provide data-driven insights on what’s actually happening. These insights would enable organizations to have a clearer picture of their risks and what they need to do to mitigate those risks. Such an analysis would be particularly useful for the event industry, where the core business model centers around processing PII.
First-ever Empirical GDPR-Fine Analysis
As RainFocus’ Information Security and Data Protection Team Lead, I spent a month conducting the first-ever empirical analysis of all GDPR fines to-date (as of Feb 2020). My study found six main findings:
- Fines have increased over time, with the avg. fine now in the millions of euros
- Fine amounts can vary greatly by country, with the UK, France, Italy, Austria, and Germany issuing the largest fines (on average)
- 68% of organizations found to be violating GDPR can expect to be fined €6–245 million (with a mean of €105M) per violation
- Fine amounts don’t appear to be correlated with the number of GDPR violations an organization has (not) had in the past
- Most fines were issued for violating one or both of the following requirements under GDPR:
- Adequately protect PII from data breaches
- Appropriately obtain consent from individuals
- Even “small” data breaches, like British Airways’ breach, can lead to significant fines
What Your Organization Can Do to Mitigate the Risks of GDPR Fines
To ensure your event data is adequately protected and compliant with GDPR, we recommend you do these three things:
- Thoroughly vet all of your vendors’ security posture.
- Ensuring your vendors are ISO 27001 certified is a great step (but be sure to know the difference between compliance and certified).
- Only collect data that’s needed for your event, especially if that data is sensitive (e.g., passport)
- Obtain consent from each individual, and do so clearly
- Additional consent will be needed for special data categories, including race/ethnicity, trade union membership, political opinions, and religious/philosophical beliefs.
At RainFocus, we understand GDPR’s risks and proactively work to and collaborate with our clients to address these risks. We do this by:
- Making security a top priority in all decision-making
- Having culture that values security
- Becoming ISO 27001 certified
- Continually improving, staying one step ahead of the risks
To learn more about RainFocus’ comprehensive security measures visit our security page here.