Would Uber have been fined €20m for their data breach under GDPR?
The GDPR comes into law on May 25th 2018 and is designed to protect the rights and freedoms of all 750 million European residents. If the GDPR had been enforceable now, it is a safe bet that Uber would have been fined the maximum 4% of their worldwide turnover for the previous 12 months for the recent revelations that they lost the personal data of 7 million customers and drivers.
Uber deliberately concealed the data breach from the supervisory authorities and the affected individuals. The GDPR is designed specifically to deal with such occurrences and the fines can be company crippling.
The GDPR would require Uber to notify the supervisory authorities in each member state within 72 hours of noticing the breach. The fact that they hid the breach for over a year causes the standard maximum fine (€10m or 2% of turnover, whichever is the greater) to be doubled.
Add to this the cost to Uber of a damaged reputation and the potential class action suits from the affected individuals. This is going to hurt Uber in a big way. Potentially, when you consider the other issues that Uber have suffered recently, this could spell the beginning of the end for Uber.
To be clear, even though the hack occurred in North America, under GDPR Uber the regulations still apply to any EU citizen’s data. Assuming at least some of the 57 million records pertained to EU citizens, then Uber would be punished under EU regulation.
For Uber to continue operating in Europe after May 25th 2018 it will need to change its attitude and practices to ensure compliance with GDPR. Let’s hope this is a lesson to other firms and that they start working now to ensure their employee and customer data is protected and kept secure.
This case serves to highlight the importance of organisations having appropriate internal processes in place to protect and, if necessary, report data breaches as soon as possible.
Having these processes in place will help businesses meet the requirements on the notification of personal data breaches under the General Data Protection Regulation.
The GDPR forces businesses to disclose major personal data breaches to the supervisory authorities, such as the UK’s Information Commissioner’s Office (ICO) and if the breach impacts the rights and freedoms of individuals, to the affected data subjects too. The rules place an obligation for firms to report breaches to the authorities within 72 hours of the organisation becoming aware of it.
Businesses that fail to comply with the reporting requirements face potential fines of up to €10 million, or 2% of their annual global turnover, whichever is the highest. This underlines the need for internal processes to ensure that the appropriate decision-maker has the information as quickly as possible.
Due to the financial and reputational risks caused by data breaches and the failure to report them, the consequences of failing to follow the right processes will become increasingly more severe.
Recently, new guidance on data breach notification was issued by The Article 29 Working Party. The guidance clarified that, under the GDPR, businesses that outsource the processing of personal data to third parties will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach. We are advising our clients to report breaches immediately even if they know them to have occurred at a third-party processor.
Need help preparing for GDPR? Contact us, we are happy to have a no obligation discussion.