Fine could have been €40M under GDPR
TalkTalk’s record breaking fine of £400,000 could have been 100 times bigger had they been prosecuted under GDPR. Under the new Regulation, they could have actually faced a penalty of 4% of their global turnover. This would be about £71M on a turnover of £1750M in 2015. Weren’t they lucky?
Customer details including names, addresses, dates of birth, phone numbers and email addresses were taken for over 155,000 customers. In over 15,000 cases the hacker had access to bank account details and sort codes.
The fine was issued by The Information Commissioner’s Office (ICO), for failures of compliance under the Data Protection Act. Elizabeth Denham, Information Commissioner, made it clear that companies must take responsibility or security failings. “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
She added: “The record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.”
TalkTalk made this response, saying that “had cooperated fully with the ICO at all times and, whilst this is clearly a disappointing decision, we continue to be respectful of the important role the ICO plays in upholding the privacy of consumers.”
This should come as a wake up call to all companies who have data open to hacking. The GDPR states that “Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
For more information about illegal data access and the GDPR please read article 85 in the GDPR
Finally, to see how GDPR-info could help you, please contact us