The Vault: Crown Records Management logo

Kevin Widdop, our information security consultant answers your burning questions a year on after GDPR.

1. What breaches and fines have occurred since GDPR came into force?

British businesses have been hit by over 10,000 data breaches in the GDPR era – British Airways was one of the biggest. A data breach that was reported by the airline in September 2018 disclosed that 244,000 payment cards had potentially been compromised in a hack the previous year. The new GDPR regulations state that any breach should be reported within 72 hours, so BA have avoided a financial fine, but their reputation for managing personal data was arguably compromised.

The biggest GDPR fine yet was handed out to Google France – that was some £44m, given by the French data protection watchdog, CNIL, in January. CNIL found that Google failed to offer users transparent information on data use and made it too difficult for users to find essential information, ‘such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation’ – privacy notices that were split across myriad documents, help pages and settings screens, for example.

The Information Commissioner’s Office (ICO) fined Facebook £500,000 for serious breaches of data protection. Whatsapp and a series of other social media giants are also being probed.


2. What changes have businesses had to make as a result in terms of their data handling and storage?

Everything from new, up-to-date data retention policies have been written, as well as GDPR awareness training sessions for anyone who handles personal data within the organisation. Senior management teams have also undertaken senior advisory workshops and best practise on what do when a breach occurs.


3. What does the future of data protection mean for companies?

The Google France fine should prompt businesses to sit up and take note.

It’s not just the financial levy imposed on businesses, but the reputational damage that follows these – newspaper headlines for a data breach are never a good thing in highly saturated, competitive marketplaces – as this can erode trust in the brand.

Many stakeholders within small-to-medium-sized organisations have (anecdotally) claimed that the fines that a post-GDPR world warned of, haven’t materialised. In short, the Google France fine could be the tip of the iceberg.

Universities, law firms, pharmaceutical companies and banks should all be poised to carefully explore what’s in their records stores, as much of the data will contain documents belonging to individuals which may breach their retention policies. All it takes is one subject access request to prompt a business into action.


4. Will there be new risks that companies are exposed to?

Absolutely. There’s an emerging trend in hackers using personal data within the mass of unstructured data that any business holds – a Word document, PDF or e-mail are all examples – to access the prized personal data of organisations.

In an always-on, social media-driven world, the likelihood is that GDPR breaches are happening on a daily basis and we’ve probably just seen the tip of the iceberg so far.


Listen to Kellie Peters, Director of Databasix and self-proclaimed data rock star to explore what has changed since GDPR came into force one year ago. Take note on her key tips to ensure compliance as well as her mantra when it comes to data protection.

Share this page:

Share your thoughts: