GDPR fines total €56M in first year

Craig Hynd |


White wave White wave used to provide a visual break between the header and the body of the page.

Legal database Lexology has tallied-up the total fines for the first year of GDPR, and it came to a staggering €56 million.

The GDPR is the gold-standard data privacy law for the European Union. Since its inception, more than 200,000 investigations have been initiated, 64,000 of which have been upheld.

However, one particular case before the GDPR even came into force has caught our eye.

Carphone Warehouse were fined £400,000 after the Information Commissioner's Office said, "serious failures placed customer and employee data at risk."

And, as HR tech experts, it's the employee data part that we're interested in.

Carphone Warehouse's system contained approximately 1,000 employee records, and those records comprised:

  • Name
  • Home post code
  • Work email address
  • Work username
  • Personal and work phone numbers
  • Car registration numbers
  • Department and line manager information

From 21st July-5th August 2015, their system was compromised by an attacker using a relatively common penetration tool called Nikto, which is used to discover security issues like outdated software and other vulnerabilities.

The attacker gained control over file management and database functionality of the outdated system, and was able to locate sensitive credentials in plain text format (which means login information wasn't encrypted – a big mistake).

A £400,000 fine pre-GDPR is significant, but imagine what the figure could look like if something like this happened today.

Companies can now face fines of:

  • €10 million or 2% of annual global turnover (whichever is higher)
  • €20 million or 4% of annual global turnover (whichever is higher)

The fine imposed depends on the severity of the infringement, but we'd wager that companies who store sensitive information in unencrypted formats on outdated systems won't get off lightly.

We've blogged before about the ticking time bomb of HR data security and the importance of storing employee data in a secure cloud platform, and these kinds of cases only serve to reinforce our message: if you have any doubts about the security of your employee data – whether you store it in a filing cabinet or in software – it's time to wake up and make meaningful changes before it's too late.