Welcome

GDPR in Practice: Compliance and Fines

Mamnoon Hadi

Head of Analytics & Insights, Readdle

Introduction

What you will learn:

Practical insights: Applying GDPR to manage risks and ensure compliance
Key skills: DPIAs, handling ethical dilemmas, aligning GDPR with business strategy
Case studies: real-world examples from Google, Facebook, British Airways, and others

General Data Protection Regulation

EU data protection law
Emphasizes data minimization, accuracy, and integrity

Who does it apply to?

Any organization handling EU residents' (human) personal data, anywhere in the world

Why does it matter?

Safeguards privacy in the digital age
Non-compliance can lead to fines up to EUR 20M or 4% of global turnover

Case study: British Airways data breach

Year: 2018$^1$

Compromised data: British Airways suffered a breach, exposing personal and financial data of 400,000+ customers
Failure: the ICO found that British Airways, as the data controller, had not implemented adequate security measures to protect customer data, which ultimately led to the breach

Cause: vulnerability website allowed attackers to intercept booking data

Icon of aircraft

¹ ico.org.uk

Case study: British Airways data breach

Role: British Airways is a Data Controller - decides how customer data is used while Data Processor (example - payment providers like Stripe, PayPal) handles the data
Violation: breach of GDPR data protection by design and data minimization

Case study: British Airways data breach

ICO fine/penalty: £20 million fine (reduced from £183 million)
Impact: personal info exposed, including credit card details, huge financial liability & trust loss

Animation of judge banging gavel

Impact of GDPR violations

Regulatory consequences: enforcement by Data Protection Authorities (DPAs), penalties up to 4% of global revenue
Risk of legal action from affected individuals: BA's Passengers could sue after their personal & credit card info was exposed

Financial penalties: imagine paying £20 million or 4% of annual turn over for something easily avoidable
Reputational damage:
- Loss of customer trust
- Negative media coverage
- Long-term business impact

Lessons learned

What did we all learned from BA?

Key lessons:

Prioritize data protection
Have clear breach protocols
Implement strong security and audits
You must inform the ICO within 72 hours of becoming aware of a data breach

Proactive measures:

Conduct regular Data Protection Impact Assessments (DPIAs)
Train staff on data security
Be transparent with customers

Let's practice!

GDPR in Practice: Compliance and Fines

Preparing Video For Download...