Enter your details below and we'll get back to you.
Share this article
When the General Data Protection Regulation (GDPR) was first discussed, there were headline figures about the size of fines. Where fines levied by the Information Commissioners Office (ICO) under the old Data Protection Act (DPA 1998) were capped at £500,000, under GDPR those fines could be up to 4 per cent of global annual turnover or 20 million Euros (whichever is greater). Yet, to date, GDPR has not really shown its teeth.
This is not, however, because its bark is worse than its bite. Far from it. It is because most of the breaches in the news until recently were reported before May 2018 and are therefore considered under the DPA. The real impact of GDPR will therefore not be seen until breaches which were reported after 25th May 2018 are brought before the ICO.
The Starwood Hotels and Resorts data breach is set to be the first significant case to be judged under GDPR. Because the breach was discovered around 10th September 2018 it falls within the scope of the new regulation. This is despite the fact that it is thought the breach could affect records going back as far as 2014 and the fact that Starwood was acquired in 2016 by the Marriott Hotel group who reported the breach and who are fully supporting the investigation.
For this and subsequent cases of its type, when considering the level of fine to be imposed, the ICO will scrutinise the case, taking into account whether customers’ personal data is currently being managed in line with GDPR requirements and the ongoing application of GDPR throughout the business. This highlights the very real need for ongoing compliance.
SRM’s GDPR team provides a business-focused service to organisations of all types and size. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, and not on simply selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
Or read our blog:
Or view the free live (recorded) webinar: The roles of manual and automated penetration testing