A possible data breach from a software company whose product is used for recruitment could be one of the first cases to fall under the new GDPR rules. PageUp has notified data regulators, including the UK's Information Commissioner's Office and stated that malware could be the source of the incident.
"On 23 May, 2018, PageUp detected unusual activity on its IT infrastructure and immediately launched a forensic investigation,” said the firm's chief executive Karen Cariss. "On 28 May, 2018 our investigations revealed that we have some indicators that client data may have been compromised, a forensic investigation with assistance from an independent third party is currently ongoing.”
“With GDPR enforcement now in operation, PageUp will be facing a fine of up to €20 million, or 4 per cent of their global turnover, alongside all the other challenges that come with a data breach,” noted Dr Guy Bunker, SVP of Products at Clearswift. “Reputational damage is always an issue with a data breach and it’s no different here. A number of customers have already suspended their job websites with PageUp, showcasing just how damaging a data breach can be for business. It also brings into question the new shared responsibility requirements under GDPR and whether additional fines could be levied on PageUp customers despite a third party being responsible for the breach.
“In addition to consequences from customers, there is also the possibility of a class action suite type of event with individuals who have had their details compromised claiming compensation,” adds Bunker. “This will add additional strain onto the organisation and the cost of the breach will only increase.”
If PageUp has a GDPR-appropriate breach plan in place this could affect the level of fine regulatory authorities give them. If they do not have an adequate plan, there could cause major consequences. “One thing is for sure,” says Bunker, “this won’t be the last data breach event, but it is the first major breach to happen within GDPR and will be a benchmark for the way in which regulators react to breaches of its kind.”