Anatomy of a Breach

Anatomy of a Breach: GDPR — The Regulation That Changed the Stakes Forever

> series: anatomy_of_a_breach —— part: 113 —— event: gdpr_enforcement —— max_fine: 4%_global_turnover —— notification: 72_hours<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2018 14 min read
gdpr regulation data-protection ico enforcement 72-hour-notification uk-law series
Breach #113

25 May 2018. Maximum fine: 4% of global turnover. The stakes changed overnight.

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force across the European Union and, through the UK's Data Protection Act 2018, in the United Kingdom. For the ICO and data protection across every sector this series has covered, the change was transformative. The maximum fine increased from £500,000 under the Data Protection Act 1998 to the higher of 4% of global annual turnover or €20 million. Breach notification became mandatory within 72 hours. Organisations were required to demonstrate accountability — not just compliance, but evidence that appropriate measures were in place.

To understand the magnitude of the change, consider the breaches documented in this series under the old regime: TalkTalk was fined £400,000 — the near-maximum. Under GDPR, the same breach could have attracted a fine of approximately £72 million (4% of TalkTalk's £1.8 billion revenue). Carphone Warehouse's £400,000 fine could have been £400 million. The Cambridge Analytica Facebook fine of £500,000 (the DPA maximum) could have been $1.6 billion. GDPR did not just raise the ceiling — it raised it by three orders of magnitude.

What Changed
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The seven pillars of GDPR enforcement.

Fines: 4% of Global Turnover
The maximum fine increased from £500,000 to 4% of global annual turnover — transforming data protection from a cost-of-doing-business nuisance into a board-level existential risk. The ICO's first major GDPR enforcement actions — against <a href="/blog/anatomy-of-a-breach-british-airways-magecart">British Airways</a> (proposed £183 million) and <a href="/blog/anatomy-of-a-breach-marriott-starwood">Marriott</a> (proposed £99 million) — demonstrated the new scale.
72-Hour Breach Notification
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach. The <a href="/blog/anatomy-of-a-breach-yahoo-500m">Yahoo two-year delay</a> and <a href="/blog/anatomy-of-a-breach-uber">Uber's 13-month cover-up</a> would now constitute separate GDPR violations. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables prompt detection that supports 72-hour notification.
Accountability Principle
Organisations must demonstrate that they have implemented appropriate technical and organisational measures — not just claim compliance, but prove it. <a href="/cyber-essentials">Cyber Essentials certification</a> and regular <a href="/penetration-testing">penetration testing reports</a> provide documented evidence of security investment.
Data Protection by Design
Security must be built into systems from the start, not bolted on afterwards. Our <a href="/penetration-testing/web-application">web application</a> and <a href="/penetration-testing/api">API testing</a> validates that systems are designed with data protection in mind — the requirement that would have prevented the <a href="/blog/anatomy-of-a-breach-moonpig">Moonpig</a>, <a href="/blog/anatomy-of-a-breach-snapchat">Snapchat</a>, and <a href="/blog/anatomy-of-a-breach-cambridge-analytica">Cambridge Analytica</a> failures.
What This Means for You

GDPR made security a board-level obligation.

GDPR transformed data security from an IT concern into a board-level obligation with personal liability for directors. For UK organisations, the practical implications are clear: Cyber Essentials certification provides documented evidence of baseline security measures, regular penetration testing demonstrates proactive vulnerability management, continuous SOC monitoring enables 72-hour breach notification, and incident response capability ensures breaches are managed professionally and reported within regulatory timescales.

After ten years of documenting breaches met with fines that were a rounding error in corporate budgets, GDPR gave the ICO the enforcement power to match the threat. The first major fines — British Airways and Marriott — would demonstrate that the ICO intended to use it.

GDPR Compliance

GDPR fines are 4% of global turnover. Can you demonstrate appropriate measures?

<a href="/cyber-essentials">Cyber Essentials</a> provides documented evidence. <a href="/penetration-testing">Penetration testing</a> demonstrates proactive security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables 72-hour notification. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages incidents within regulatory timescales.

Demonstrate Your Compliance Next: Ticketmaster UK + Dixons Carphone
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2012

Anatomy of a Breach: UK ICO Enforcement 2012 — The Fines Keep Coming

Breach #047. By the end of 2012, the ICO had issued over £4 million in monetary penalties since gaining the power to fine in 2010 — with the NHS, local councils, and police forces accounting for the majority. The pattern was relentless: unencrypted devices, insecure disposal, misdirected communications, and absent monitoring. This article examines the cumulative enforcement picture and what it reveals about the state of UK data protection.

ico enforcement
12 min read
Anatomy of a Breach 31 May 2020

Anatomy of a Breach: EasyJet — 9 Million Customers and 2,208 Credit Cards Exposed

Breach #137. In May 2020, EasyJet disclosed that the personal data of approximately 9 million customers — including email addresses and travel details — had been accessed in a cyber attack, along with the credit card details of 2,208 customers. The attack, described by EasyJet as a 'highly sophisticated' intrusion, had been discovered in January 2020. The breach came during the COVID-19 pandemic, when airlines were already under severe financial stress, and resulted in a £15,000 class action claim per affected customer being filed. For the UK's largest budget airline, the breach added cybersecurity liability to an already existential business crisis.

data-breach easyjet
12 min read
Anatomy of a Breach 31 December 2018

Anatomy of a Breach: 2018 Year in Review — The Year GDPR Arrived and the Fines Got Real

Breach #120 and the 2018 finale. The year GDPR came into force and the ICO immediately signalled its intent — proposing £183 million against British Airways and £99 million against Marriott. Cambridge Analytica proved data could be weaponised for political manipulation. Spectre and Meltdown proved even the silicon was vulnerable. Olympic Destroyer showed nation-states will sabotage sporting events with false flags. Atlanta proved cities are ransomware targets. Magecart swept through e-commerce. And 500 million Marriott guests discovered their data had been exposed for four years. The year enforcement matched the threat.

data-breach year-in-review
14 min read
All Posts Get in Touch