WHAT THE FIRST GDPR FINES MEAN FOR BUSINESS

Ever since the implementation of the General Data Protection Regulation in May 2018, businesses have been treading on eggshells. Although they were given plenty of time in which to get their cybersecurity protocols shipshape, the risk of monumental fines made business leaders sit up and take note – it was time to act.

It’s taken more than a year, but we finally have our first two high-profile cases of GDPR fines being dished out to those who haven’t kept their customers’ data safe. In 2018 we saw a number of close calls, with several hacks being exposed but by virtue of them happening before the GDPR deadline, they got away with the maximum fine of £500,000 as stipulated under the Data Protection Act 1998. Carphone Warehouse, Equifax, Facebook, Uber and Yahoo all narrowly avoided much higher penalties.

But finally, after more than a year of the GDPR being in force, we have our first culprits – British Airways and Marriott Hotels. The former has been hit with the biggest-ever fine regarding a breach of data, having been handed a £183 million ticket for the hacking of names, addresses and payment information. Marriott Hotels has been ordered to pay the smaller, yet still monumental, fee of £99 million.

Even for companies of their stature, these fines are gargantuan. Although Marriott have surprisingly seen their value increase since the GDPR was introduced, British Airways’ parent company IAG have not enjoyed the same vein of form, coming in at 30 per cent worse off than they were this time 12 months ago. These penalties are having a huge effect on the finances of an organisation, but the more telling impact is how it effects its people and its customer base.

Trust is arguably your organisation’s biggest asset. Without it, you’ll struggle to win business, keep clients onside and, ultimately, recruit. The implementation of the GDPR has meant there is greater transparency in data use, and people now have a greater understanding of how and where their information is being used. However, it can be a double-edged sword – the bigger they are, the harder they fall.

Complying to the GDPR establishes and maintains a greater level of trust than was ever possible under the old guidelines, the Data Protection Act 1998. But fail to meet the required standards, and you’ll realise that – and allow us to paraphrase – hell hath no fury like a user scorned. While Facebook, for example, were only fined a measly amount courtesy of the timing of their breach, they saw $15 billion wiped off their market value and gained a reputation of distrust that is unlikely to be shaken off anytime soon. Reputation is king, and that’s fed by trust.

These latest fines have given businesses a real kick up the backside. For its first year, the GDPR seemed to be nothing more than scaremongering, but with sanctions now being handed out it’s suddenly become very real. Not only is compliance a legal requirement, it’s also the logical thing to do because users, employees and customers are no longer ignorant to the importance of data regulation. Failure to do so will hit you where it hurts most – your back pocket.