GDPR Fines UK: What You Need to Know About GDPR Non-Compliance

The introduction of EU-wide GDPR legislation has ushered in a new era of stringent data security, compelling UK organisations to make data protection a distinct priority like never before.  

While we don’t want to cover old ground by stressing the importance of GDPR compliance (or even how GDPR can actually benefit your business), we want to take a look at the real-world consequences of failing to uphold data protection laws.

After all, these regulations have been put in place to protect all of our personal data, securing both individual privacy and business confidentiality. It’s in all of our interest that data protection is upheld to the full extent of the law.

Has anyone been fined for a GDPR breach? 

Yes – since GDPR was implemented in May 2018, the ICO (the UK’s independent national data protection authority) has been busy taking action against over 100 organisations in both the private and public sector.

These actions include issuing undertakings, enforcement notices and even prosecutions, but the majority of penalties include imposing monetary fines.

Notable GDPR breach fines so far:

  •     Carphone Warehouse, January 2018 – £400,000 fine after serious security failures put both customer and employee data at risk.
  •     Facebook, July 2018 – £500,000 fine (the maximum at the time) over the Cambridge Analytica scandal where the personal data of millions of Facebook users was used without their consent for political advertising.
  •     Bupa, September 2018 – £175,000 for failing to implement security measure that would effectively protect their customers’ personal information.
  •     Heathrow Airport, October 2018 – £120,000 fine for failing to secure the personal data held on its network.
  •     Uber, November 2018 – £385,000 fine for failing to protect their customers’ and drivers’ personal information during a cyber attack.
  •     British Airways, July 2019 – £183 million fine for a data breach that compromised the personal details of approximately 500,000 customers.
  •     Marriott International, July 2019 – £99 million fine for failing to protect the personal data of roughly 339 million guests.

For a full list of organisations and companies fined under GDPR please refer to the ICO’s enforcement action page.

How much is a GDPR fine?

The most annoying of all answers – it depends. While pre-May 2018 data protection legislation capped the maximum fine for a breach to £500,000 (see Facebook fine above), GDPR introduced a much stricter, two-tier fines system that related to the offending company’s revenue: 

  1.     Up to €10 million, or 2% of annual global turnover – whichever is higher; or
  2.     Up to €20 million, or 4% of annual global turnover – whichever is higher.

Maximum fine for GDPR

As shown above, the maximum fine a company can be fined for GDPR non-compliance is €20 million or 4% of that company’s annual worldwide revenue. This penalty can be applied to any failure to comply with any of GDPR’s data protection principles.

So, if we look at the case of the British Airways data breach mentioned above, the £183 million sum they faced was the result of a 1.5% fine by the ICO on their global turnover. If the ICO had chosen to enforce the maximum 4% fine, British Airways could have faced a bill of approximately £489 million!

While this example may highlight the lenience that the ICO can exercise when investigating GDPR breaches, it also stresses the very considerable and very real fines that can and are being enforced in the UK.    

Can individuals be fined under GDPR? 

Yes – the EU specifically states that GDPR legislation “regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.” These data protection regulations apply to any individual or organisation that uses another party’s data “outside the personal sphere, (such as) for socio-cultural or financial activities.”

There have already been dozens of individuals who have faced punitive action by the ICO as a direct result of data protection violations and GDPR non-compliance (the Data Protection Act 2018 is the UK’s implementation of GDPR). In most cases, this involved prosecution, which typically resulted in hefty fines, coverings costs and victim surcharges.

At Flexible Storage, our document storage services are fully compliant with GDPR regulations, so you know your documents will be in the safest possible hands. Get in touch with one of our professional storage consultants today to see how we can help you protect your confidential data, avoid any fines and keep your company operating at maximum potential. 

How safe are shredding services?

If we’ve said it once, we’ve said it a thousand times – you need to look after your confidential waste. This applies to domestic paperwork as much as it does to business documents.

Leaving your sensitive paperwork in a drawer at home or a cabinet at the office will quickly lead to clutter, confusion and – worst of all possible scenarios – compromising your personal and commercial data security.

Shredding for security

When it comes to protecting your physical documents, shredding is by far the safest, simplest and most convenient way to destroy sensitive material.

In other posts, we’ve covered what sensitive documents need to be shredded, the reasons why they should be shredded and what you should do with the shredded waste.

While there’s little argument over the effectiveness of shredding in principle, in practice it’s only as effective as the company that is carrying it out. 

In this post, we’ll take a look at the different types of shredding services currently available on the market so that you can be sure that you’re choosing the safest one possible.

High street shops

One of the cheapest shredding options is to take your confidential documents to an office supplies, stationery or printing shop. A common sight on high streets and in shopping centres up and down the UK, they offer the use of their shredders or facilitate the shredding of your documents by a third party.

While this service appears cost-effective and efficient on the surface, behind-the-scenes security is often lacking. Sensitive paperwork is often left unlocked in store cupboards for days at a time. There have even been instances where burglars have specifically targeted the shredding bags; a testament to how valuable confidential data is to modern criminals.

The reality is that these types of high street shredding services, while relatively cheap, do not have the highly trained staff or stringent security standards that professional shredding services have. If you want to be sure that your confidential waste is professionally handled and securely shredded, you’d be well advised to look elsewhere…

Professional shredding & recycling centres

If you want to get true peace of mind when destroying confidential waste, you’ll need to look to the pros. Professional shredding facilities have the expertise, experience and industry accreditations to provide you with the most secure service possible.

Unlike a high street shop or small-scale office shredder, shredding facilities have industrial shredders that completely pulverise documents, CDs, credit cards and many other confidential materials.

Some of the best companies can even save you the trouble of moving your paperwork by collecting your files from your office or your document storage facility.

Confidential Waste Console

Confidential waste disposal bins are also another great way to ensure your business documents are safely stored and securely destroyed. These lockable bins collect sensitive office paperwork and can be regularly emptied and shredded by your shredding service provider. While this is not particularly relevant to domestic users, it’s a great way for businesses to stay on top of their confidential waste with minimum effort. 

Choosing the safest shredding service

So now that you know the benefits of a professional shredding service, you’re going to need to know how to spot the best shredding service provider out there. There are a handful of qualifications and indicators that a shredding company should have to ensure they are offering the safest possible service.

If the shredding service provider does not have all of the following industry accreditations, you should definitely think twice before entrusting them with your confidential waste. Even if they are offering an unbelievably cheap service, you may end up paying a much higher price in the long run.

Shredding service checklist: 

  •     Certificate of Destruction for peace of mind
  •     Waste Carriers Licence from the Environmental Agency
  •     DBS checked staff to ensure secure and professional handling
  •     GDPR & Data Protection compliant
  •     BS EN 15713:2009 accreditation for the Secure Destruction of Confidential Waste
  •     ISO 9001/ISO 27001/ISO 14001 accreditations for quality management and environmental responsibility.
  •     Waste Electrical and Electronic Equipment Directive (WEEE) compliance

Flexible Storage’s shredding service is fully aligned and compliant with all of the above qualifications and regulations. As well as adhering to the highest possible industry standards, 100% of their shredded waste is recycled at a licensed UK paper mill. In fact, for every tonne of paper waste that they recycle, approximately 17 trees are saved!

Get in touch with the Flexible Storage team today to see how a professional, safe and cost-effective shredding service can benefit you.