The Cost Of ISO & GDPR Non-Compliance

Joe A. J. Beaumont Headshot
Written by Joe A. J. Beaumont  Security blogger

10/05/2021

GDPR non-compliance

The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) in April 2016 and took on full effect on 25th May 2018. It was also enshrined in the UK’s new Data Protection Act (2018), making it applicable within the UK post-Brexit. The regulation was designed to strengthen existing data protection legislation. As well as applying to all member states of the EU and UK, it also applies to any organisation no matter where they are located, who do business, collect, or analyse data of EU residents.

If we don't comply with GDPR rules, it can result in the possibility of severe penalties. Companies that are yet to establish compliance have been given ample warning to do so. In addition to meeting GDPR requirements having robust security measures in place is essential for all organisations with the exponential increase in cyber attacks year after year.

The lower level allows for fines of up to €10 million or 2% of their global annual turnover

GDPR penalties

There are two levels of financial penalties that can be imposed for GDPR infringement:

The lower level allows for fines of up to €10 million or 2% of their global annual turnover. This penalty can be issued for violations of:

  • Article 8 Conditions applicable to child’s consent concerning information society services
  • Article 11 Processing which does not require identification
  • Articles 25 to 39 General Obligations related to Controllers and Processors
  • Article 42 Certification
  • Article 43 Certification Bodies

The higher tier is for more severe GDPR infringements, and fines of up to €20 million can be imposed or 4% of annual global turnover. These are for infringements relating to:

  • Article 5 Principles relating to the processing of personal data
  • Article 6 Lawfulness of processing
  • Article 7 Conditions for consent
  • Article 9 Processing of special categories of personal data
  • Articles 12 to 22 Rights of the data subject
  • Articles 44 to 49 Transfers of personal data to third countries or international organisations

The financial penalties received are dependent on several factors, such as the type of violation committed, how serious it was and the time it lasted. It will also take into account if the infringement was accidental or deliberate and if it was your first violation and if you were cooperative. Also, it matters whether or not you comply with any accepted codes of conduct or certifications such as ISO 27001.

A gavel on an EU flag

Further implications

In addition to harsh fines, other sanctions can be imposed against your business by authorities such as the ICO (Information Commissioner’s Office) that are responsible for enforcing GDPR in the UK. They can enforce temporary and permanent bans on you processing personal data and suspend your data transfers to third countries to highlight just two examples.

A data breach could also lead to a lawsuit being carried out by third-party litigation. An individual or groups of people could sue your company for damages adding to even further costs on top of any GDPR fine.

Article 82 states: Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Reputational damage is another significant side-effect of a data breach or GDPR infringement. Having your company name linked to a data protection violation will result in a lack of trust in your business. Is a potential customer likely to trust your company if you have had a publicised data breach and been fined by the GDPR or will they seek out one of your competitors?

The question really doesn't need an answer.The financial repercussions of reputational damage can have a prolonged impact on your business, and in some cases, the restoration of your reputation is impossible.


GDPR fines

The various authorities enforcing GDPR in Europe have already handed out penalties to many companies after data breaches and other data protection infringements and made an example of some big players with hefty fines.

As of November 2020, there have been a total of 408 fines levied, and €259,759,295 has been paid out due to lack of GDPR compliance. The sector that has the most fines imposed upon it to date is Industry and Commerce with 98 instances closely followed by Media, Telecoms and Broadcasting.

A few of the high profile GDPR compliance casualties include:

Google

Google was hit with a massive €50 million GDPR penalty in 2019, which is the largest so far. There were several violations under GDPR articles 5, 6, 13 and 14. The French data regulator CNIL said that they imposed the fine for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation."

British Airways

After a cyber-attack on the company's website, personal data from around 500,000 customers was stolen, the ICO claimed that inadequate security measures compromised the British Airways website. The organisation was fined €22,036,306.

Marriott International Inc

After the acquisition of competitor Starwood, it was discovered that its central reservation database had suffered a data breach. The hack impacted 30 million hotel customers and included dates of birth, passport numbers and details of 8 million credit cards. According to the ICO, the hotel chain lacked due diligence and failed to take the proper steps in ensuring that adequate security measures protected their systems. In addition, the company failed to notify their customers of the data breach until several months after the hack. Marriott was fined €20,450,000.

If a breach does occur and personal data is at risk, you must be swift in reporting it to the relevant supervisory authorities

GDPR and security

GDPR compliance can be tricky, and while the big name brands like Google BA and Marriott are more likely to hit the headlines after receiving a fine, businesses big and small are all on the GDPR radar. We all understand that the GDPR is about protecting the data of individuals who reside in the EU but let's look at what they specifically have to say on the matter of security.

Article 32 of the GDPR covers Security of Processing and states that:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

This amongst other things includes:

  • Pseudonymisation and encrypting of personal data.
  • Ensuring the continuous availability, confidentiality, integrity and resilience of processing services and systems.
  • In the event of a physical or technical incident have the capability to recover the accessibility and availability of personal data as swiftly as possible.
  • Have in place a process to test, assess and evaluate the effectiveness of technical and organisational measures to ensure the security of the processing.

Confidentiality, Integrity, and Availability

Known as the CIA triad, confidentiality, integrity, are part of your GDPR compliance responsibilities.

  • Confidentiality - to protect data from the risk of unauthorised access.
  • Integrity - to ensure that data is protected from unauthorised alteration.
  • Availability -  to ensure that data and resources are available to those that require it.

The first step to ensuring that you are GDPR compliant is to identify the personal data you keep, how sensitive it is and who in your organisation has access to it. Once you have documented this information, you can then check if your existing security measures are robust enough to ensure the data is as safe as possible.

Processes should be established to detect, investigate and report any data breaches. Data breach testing, using penetration tests and vulnerability screening should be performed regularly to ensure that effective procedures are in place.

If a breach does occur and personal data is at risk, you must be swift in reporting it to the relevant supervisory authorities – in the UK this is the Information Commissioner's Office (ICO).

A red padlock among blue locks, signaling a breach

In the event of a data breach

Article 33 of the GDPR states that if a data breach occurs and is a threat to data privacy rights, you must report the matter within seventy-two hours of discovering the breach. Article 34 states that Data Processors or a Data Protection Officer are required to alert their customers straight away if the violation will potentially lead to the rights and freedoms of the individuals involved being negatively impacted.


Appointing a Data Protection Officer (DPO)

Whatever the size and industry of your organisation, if you deal with the personal data of EU or UK residents, someone in your organisation needs to be appointed as responsible for GDPR. It’s also wise to have a knowledgeable Data Protection Officer to oversee the nuts and bolts of your GDPR compliance. This can be someone within your organisation with adequate training, but more often it’s an outsourced position. They will serve to coordinate all communication between your enterprise and the GDPR Supervisory Authorities.

Despite it being strongly recommended by Supervisory Authorities and best practices alike, appointing a DPO is only strictly mandatory if your organisation meets one of these three requirements:

  1. Your organisation is a public body or authority (unless you are a court or independent judicial authority where exemptions are granted).
  2. Your organisation is involved in the regular monitoring of user data of EU residents on a large scale.
  3. Your organisation’s core activity is processing personal user data on a large scale.
An integral part of GDPR compliance is taking information security seriously

Why you should be concerned about information security

Good data protection comes from strong processes, procedures and technical controls. Meeting GDPR compliance means that you have implemented effective processes to protect any personal data that you collect or process. By following GDPR guidance, you will not have to suffer from the cost of a hefty fine and other related costs and negative knock-on effects caused by lack of compliance. And an integral part of GDPR compliance is taking information security seriously.


Information security management systems (ISMS)

The GDPR has no universal standard of what information security measures an organisation needs to have in place. They state an organisation should securely process data by mplementing  ‘appropriate technical and organisational measures.’

These measures are typically known as information security management (ISM) which are a set of controls put in place to protect the confidentiality, integrity and availability of an organisation's informational assets against cyber threats and vulnerabilities.

Informational assets don't just include the personal data that you collect from individuals but encompasses all sensitive data that your organisation holds.

Companies often adopt a framework of documented controls and guidelines known as an information security management system (ISMS), that is designed to manage information security in a systematic manner across an organisation. The object of an ISMS is to mitigate risk and ensure operational continuity by taking proactive steps to constrain the consequences of a breach.

In practice, many enterprises choose to follow specific standards and the most popular of these is ISO 27001.

A futoristic dashboard with iso27001 in the centre

What is ISO 27001?

ISO 27001 is a globally recognised ISMS standard set out by the International Organization for Standardization (ISO).  ISO 27001 offers the framework for an enterprise to create a successful and effective ISMS.

Rather than mandating any specific methods or tools, it includes suggestions for effective risk control. Essentially, it is a checklist of actions that are needed to meet compliance. If you have achieved the goal of ISO 27001 certification and become fully compliant, it shows that your ISMS has followed all the cyber security best practices required for a robust security posture.

While it is not a legal requirement to be ISO 27001 certified, if your organisation processes and stores sensitive data, it is strongly recommended to help protect against potential information security threats. In addition, your business will benefit from demonstrating that it has achieved an internationally recognised standard for best practices in ISM. Also, some Government and commercial enterprises specify in their contracts that ISO 2700 certification is required as standard to bid on contracts.


How does ISO 27001 relate to GDPR compliance?

An effective ISMS, ISO 27001 certification, and GDPR compliance go arm in arm. There is no specific GDPR certification as such. However, ISO 27001 is closely aligned with the personal data protection objectives outlined in a crucial section of the GDPR, namely Article 32, where it requires organisations to implement 'appropriate technical and organisational measures' when it comes to data processing security.

Essentially the requirements described in the Article 32 are the same that are required for ISO 27001 certification. This includes the standards set on data encryption, requirements for availability and restoration, and business continuity.

ISO 27001 is much more comprehensive in breadth than GDPR when it comes to sensitive data as it addresses both personal data and the organisation's critical data. However, ISO 27001 certification won't make your business completely GDPR compliant, but it does serve as a great foundation.

Having the appropriate security measures in place can significantly lower the risk of a security breach and a hefty fine from the GDPR

Final Thoughts

All organisations that process or control the personal data of individuals have a responsibility to protect this information from any security risk. By becoming ISO 27001 certified, your company has independently audited verification that it is compliant with information security best practices on an international level.

Having the appropriate security measures in place can significantly lower the risk of a security breach and a hefty fine from the GDPR. While there is no requirement from the GDPR to be certified to any standard, including ISO 27001, in the worst-case scenario if the data you held was compromised in a cyber attack certification, it will put your enterprise in a more favourable light.

It should be understood that GDPR compliance, ISO 27001 accreditation and your organisation's security are all ongoing - there is no set and forget solution. Working with data protection compliance experts can make the process much smoother, ensuring that information security is performing at an optimal level and can also offer support with ISO 27001 certification and GDPR compliance.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.