Highest GDPR-fine in Hungary: 290.000 EUR due to fragile website security 

Without a doubt, the breach of website security can be extremely expensive: Hungarian telecommunications company Digi just got fined a record breaking GDPR-penalty of 290.000 EUR – the highest fine imposed by the Hungarian Data protection Authority (NAIH) so far.

What happened?

An Ethical Hacker gained access to two of Digis data bases containing various categories of personal data of subscribers – a known vulnerability in the website which had not been fixed for years. One of the data bases of the company was storing personal data of customers (as many as 800.00 households in Hungary) which was not encrypted and could have been used for identity theft according to the NAIH. The exact number of data subjects affected by the incident was not released by the authority. Nonetheless, according to the enforcement decision, it seems to have been rather significant. 

Bernulius / shutterstock.com

This is how expensive GDPR non-compliance can be for your company:

In the case of Digi, their 100 million HUF fine (approx. 290.000 EUR) corresponds to about 0.2% of Digi’s annual turnover of the previous fiscal year. As a general rule, violations of GDPR are punishable with up to 4% of the worldwide annual turnover.

See all fines and penalties data protection authorities within the EU have imposed under the GDPR in the Enforcement Tracker. 

How can I protect my business?

✔ Get an overview of all the user data you are storing

Bare in mind: it doesn’t take an incident for your company to be in trouble with the law. The sole possibility of your data being stolen due to your company’s lax security measures or someone identifying your company is storing information about users which should not be stored is enough to consider a privacy breach and be forced to pay hefty fines. 

Besides, the pure existence of a security gap is already a sufficient reason to get you fined for not being GDPR-compliant. 

⇨ First, check which data is stored by your company and for what purpose – and above all, on what legal basis. To be on the safe side it might be effective to create several different databases that are clearly separated for each purpose. You can find more information in our article “Designing The Customer Journey To Be GDPR Compliant“.

✔ Check your system for possible leaks

It doesn’t need a “professional hacker” to identify a data leak. Some GDPR-violations can easily be detected by your users or competitors with very little technical knowledge. 

Once you get reported, don’t expect authorities to grant you mitigating circumstances. Even if you fully cooperate they won’t let you off the hook or allow you to pay less. 

E.g. In the case of Digi, the company itself reported the data breach to the authorities within the 72-hour-deadline and fixed the leakage as well as deleted the data that was obtained inadequately. Despite that, it still did not protect them from getting fined the full amount.  

⇨ So better be safe than sorry! Get your system checked – if possible, by experts outside of your company. Since they were not involved in setting up your database and might have a more objective view of it all.

✔ Get your users consent before collecting their data  

If you want to collect user data, store it and use it for marketing purposes you need to obtain consent from your users first – in accordance with the law. 

⇨ An easy and particularly compliant way to do so is via a so called “Consent Management Platform (CMP)”.  

What are the benefits of a CMP?

Want to learn more about the Usercentrics CMP? Get in touch with us – we are happy to help!