Fines for Serious Breaches of GDPR – the ICO Finally Bares its Teeth
Posted on August 20th 2019
Since May 2018, when The General Data Protection Regulation (GDPR) came into effect swiftly followed by the new Data Protection Act 2018, we have been waiting to see how the Information Commissioner’s Office (ICO) would wield the extensive powers conferred upon them and the size of the penalties that they were prepared to impose. Well, now we know! In recent weeks the ICO has announced that it intends to impose fines for serious breaches of GDPR – British Airways £183 million and Marriott International £99.2 million.
These fines would be the highest and second highest ever issued by the ICO, being over 300 times higher than the previous record.
The airline is facing a record penalty following the incident which saw the personal data of around 500,000 customers being compromised by poor security arrangements.
The ICO have confirmed that users of British Airways’ website were diverted to a false site which allowed cyber attackers to access personal details such as name and address, log in, payment card and travel booking information.
Despite British Airway’s acting quickly upon discovery of the breach and finding no evidence of fraudulent transactions following the attack, the ICO’s response has sent a clear message regarding the level of punishment businesses can expect when they do not act with great care to protect personal data.
In the same week this hotel group also faced significant sanction from the ICO, being fined for infringements of the GDPR after cyber- attackers stole the personal data of 339 million guests, seven million being UK residents. These records were held in the guest reservation database of Starwood Hotels, a company which Marriott acquired in 2016.
The stolen data included passport numbers, dates of birth and credit card details. It appears that Starwood Hotels’ systems were compromised as far back as 2014 and Marriott failed to undertake sufficient checks when purchasing the company two years later.
This incident highlights the need for businesses to undertake thorough due diligence when acquiring a company and to take suitable steps to discover how personal data has been attained along with ensuring that there are IT systems in place to keep data secure.
Implications for businesses holding personal data
The fines imposed on British Airways and Marriott set a clear precedent of what businesses can expect if they do not have secure security systems in place to protect fundamental privacy rights.
Businesses need to be aware that since the GDPR’s introduction the maximum penalty is 4% of turnover and so for companies such as British Airways and Marriott International, operating on a global scale, the sums of money involved are huge. On a smaller scale, however, penalties calculated on this basis can still have a devastating effect on SME sized businesses. Ensuring that personal data belonging to customers, suppliers and employees is treated with the utmost care is not something that any business should put on the back burner.
How can we help?
Do you need legal advice regarding data protection and minimising the risk to your business from potential liability? Contact us today on 01244 312306.
Call and speak to a lawyer on 01244 312306