Support 100 years of independent journalism.

  1. Business
  2. Sectors
24 May 2021

Why getting hacked should be more expensive

Data breaches directly affect customers of businesses, but companies themselves have been getting off relatively lightly – so far.

By Will Dunn

Where will you be celebrating the third birthday of the General Data Protection Regulation (GDPR) tomorrow (Tuesday 25 May)? A bar with privacy-enhancing booths? That restaurant where everyone eats in the dark? Or perhaps simply by offering a friend a cookie they’re not sure they want, then making them sign a series of confusing forms in order to accept it?

Three years ago, the EU implemented its data protection law, which led businesses to send many millions of emails asking for permission to send billions more emails (my personal favourite invited me to “stay engaged with radioactive waste”).

These emails proliferated because GDPR was, and still is, scary for businesses. It introduced the risk of enormous fines – up to 4 per cent of annual global turnover, or €20m, whichever is higher, for the most serious infringements. These fines, with the rest of the GDPR, are retained in UK law post-Brexit.

[see also: Why the UK’s post-Brexit plans are a threat to data protection]

At the time, there was a good argument for making cyber security a more frightening risk for businesses. Before the law was implemented, companies faced a relatively small fine for trying to keep a data breach quiet, or the greater reputational risk of admitting they’d been hacked.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

For example, when TalkTalk lost the personal details of 157,000 (and the bank details of 16,000) customers, the UK Information Commissioner’s Office levied a penalty of £400,000. Dido Harding told me at the time that she thought other companies had covered up their own data breaches (she also suggested the TalkTalk breach might have been the work of a “state actor”; it was later shown to be the work of a 16-year-old from Norwich). But under GDPR, there would have been no doubt about what was the greater risk: TalkTalk could have been fined more than £70m for the breach.

Similarly, when Tesco Bank lost £2.26m to hackers in 2016, it was eventually fined a heftier £16.4m by the Financial Conduct Authority (FCA) – but it could have been much bigger still under GDPR. Four per cent of Tesco’s £48.4bn turnover that year would have been more than £1.9bn.

What’s less scary for businesses is that in the three years it’s been possible to incur such fines, they haven’t really materialised. In 2018, British Airways was threatened with a £183m fine after hackers accessed the personal and financial details of nearly half a million customers through its website, but this was dropped last year to £20m – about 0.15 per cent of the airline’s 2018 turnover. Across the EU, the total fines from more than 600 enforcement actions over three years comes to just over €283m.

This is part of the reason critics of GDPR say it has handed more power to Big Tech – the few companies that can afford to navigate the legislation well, and which ad buyers know won’t expose them to GDPR’s legal risks. The biggest GDPR fine levied so far is the €50m that France fined Google, but this is still less than 0.03 per cent of the company’s 2020 turnover.  

Will the power to make an example of a big multinational ever be used? In the UK, it’s looking less likely. In its new data strategy, published in December, the government is clear that it sees “data and data use… as opportunities to be embraced, rather than threats against which to be guarded”. When the UK’s new Information Commissioner is picked later this year, it will be someone aligned with this view.   

But as recent big events such as the Colonial Pipeline hack and the announcement of the Air India data breach show, companies have an ever increasing responsibility to defend their customers against an enemy that is only becoming more persistent. If companies are going to take security more seriously, GDPR may yet have to live up to its fearsome reputation.