Highest GDPR-fine in Hungary: 290.000 EUR due to weak fragile website security
Table of contents
Without a doubt, the breach of website security can be extremely expensive: Hungarian telecommunications company Digi just got fined a record breaking GDPR-penalty of 290.000 EUR – the highest fine imposed by the Hungarian Data Protection Authority (NAIH) thus far.
What happened?
An Ethical Hacker gained access to two of Digi’s databases containing various categories of personal data of subscribers – via a known vulnerability in the website which had not been fixed for years. One of the databases of the company storing personal data of customers (as many as 800.00 households in Hungary) was not encrypted and could have been used for identity theft, according to the NAIH. The exact amount of data subjects affected by the incident was not released by the authority. Nonetheless, according to the enforcement decision, it seems to have been rather significant.
Bernulius / shutterstock.com
This is how expensive GDPR non-compliance can be for your company:
In the case of Digi, their 100 million HUF fine (approx. 290.000 EUR) corresponds to about 0.2% of Digi’s annual turnover of the previous fiscal year. As a general rule, violations of GDPR are punishable with up to 4% of the worldwide annual turnover.
See all fines and penalties data protection authorities within the EU have imposed under the GDPR in the Enforcement Tracker.
How can I protect my business?
✔ Get an overview of all the user data you are storing.
Bear in mind: It doesn’t take an incident for your company to be in trouble with the law. The sole possibility of your data being stolen due to your company’s lax security measures, or someone identifying your company is storing information about users which should not be stored, is enough to consider a privacy breach and be forced to pay hefty fines.
Besides, the pure existence of a security gap is already a sufficient reason to get you fined for not being GDPR-compliant.
⇨ First, check which data is stored by your company and for what purpose – and above all, on what legal basis. To be on the safe side, it might be effective to create several different databases that are clearly separated for each purpose. For more information on designing a GDPR-compliant customer journey click here.
✔ Check your system for possible leaks.
It doesn’t take a “professional hacker” to identify a data leak. Some GDPR-violations can easily be detected by your users or competitors with very little technical knowledge.
Once you get reported, don’t expect authorities to grant you mitigating circumstances. Even if you fully cooperate, they won’t let you off the hook or allow you to pay less.
E.g., In the case of Digi, the company itself reported the data breach to the authorities within the 72-hour-deadline and fixed the leakage, as well as deleted the data that was obtained inadequately. Despite that, it still did not prevent them from getting fined the full amount.
⇨ So better be safe than sorry! Get your system checked – if possible, by experts outside of your company. Since they were not involved in setting up your database and might have a more objective view of it all.
✔ Get your users’ consent before collecting their data.
If you want to collect user data, store it and use it for marketing purposes, you need to obtain consent from your users first – in accordance with the law.
⇨ An easy and particularly compliant way to do so is via a so called “Consent Management Platform (CMP)”.
What are the benefits of a CMP?
|
✔ Collecting and storing consents in accordance with the law |
|
✔ Audit proof documentation ⇨ Proof you did obtain your data the compliant way in case of an audit |
|
✔ No loss of data ⇨ Protect your advertising revenue |
|
✔ Boosts your users trust |
Want to learn more about the Usercentrics CMP? Get in touch with us – we are happy to help!
50 million Euro fine upheld for Google due to GDPR breach
Remember the 50 million Euro fine levied against Google in May 2018 by the French data protection authority (CNIL)...
GDPR 2020: Coronavirus is no excuse for mistakes in data protection management
Happy Birthday GDPR! You are now two years old – about time we started taking you seriously. The State...
The Latest ECJ Ruling on Facebook-like Button Imposes Obligation On Website Operator
According to the ECJ ruling, website operators who integrate a "Like" button from Facebook are jointly responsible for data...
Usercentrics - Obtaining user consent: these five tricks are not GDPR-compliant