The UK regulator for data protection, the Information Commissioner's Office (ICO), has announced its intention to issue its first significant fines under the GDPR which may go up to an eye-watering £189.39 million.
Until recently, all fines issued by the ICO follow the Data Protection Act (DPA) 1998, the old legislation that was still applied at the time of the investigation of the cases. Fines have therefore been limited to the DPA 1998's maximum penalty of £500,000, which is the amount Facebook got fined in October 2018.
At that time, the Information Commissioner, Elizabeth Denham, confirmed that "the fine would inevitably have been significantly higher under the GDPR".
With a maximum monetary sanction under the GDPR set at €20 million or 4% of global turnover, recent developments are first evidence of the fearsome power the ICO wields in a modern age for data protection.
A GDPR World: British Airways & Marriott International
In September 2018, UK airline British Airways (BA) announced that it had suffered an external breach of its security systems. This breach, BA said, meant the personal data of more than 380,000 customers had been accessed without authorisation. The ICO has confirmed this number may now be around 500,000.
Likewise, in November 2018, Marriott International reported that it too had suffered a significant breach of its systems dated back to 2014 and could have affected up to 500 million of its customers.
Both incidents were the result of external hacking, whereby third parties managed to gain access to personal data through flaws in each company's online security.
Under the GDPR, companies are required to have robust systems and processes to defend against both internal and external data breaches such as a hack. Accordingly, the ICO has now issued statements on both incidents which has brought home the reality of the GDPR.
Fines under the GDPR: ICO Action in July 2019
On 8 July 2019, the ICO announced its intention to fine BA £183.39 million for its "poor security arrangements" which saw the unauthorised access of data including customer names, home addresses, travel booking info and payment card details.
Worryingly, this figure represents only approximately 1.5% of BA's annual global turnover, less than half of the maximum fine that can be issued under the GDPR. At 4% of annual global turnover, a maximum penalty would have produced a figure close to £500 million.
Just two days after this decision on 10 July 2019, the ICO announced its intention to fine Marriott International for failing to "undertake sufficient due diligence" prior to the acquisition of Starwood Hotels in 2016. Starwood was the company in which the breach originated, however according to the ICO, Marriott subsequently failed to "secure its systems".
This resulted in the loss of "a variety of personal data... contained in guest records globally", which the ICO estimates affected 339 million of Marriott's customers. Accordingly, a fine of £99 million was issued by the ICO.
The ICO: Out of Control or Enforcing the Law?
In the wake of fines totalling nearly £300 million, one media outlet accused the ICO of going on a "power trip".
Yet for those who recognise the importance assigned to the GDPR, these fines are a realisation of the regulation's primary intention: to protect against data breaches, and to penalise those negligent of their responsibilities.
Accompanying the BA decision, Elizabeth Denham released a statement which suggests these fines are just the beginning of the ICO's new enforcement trajectory:
"People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights." – Elizabeth Denham, Information Commissioner (July 2019)
In a new GDPR world and with the ICO now taking significant action, it is more important than ever for your company to have robust policies and well-trained employees, thereby reducing the risk of data breaches, protecting against potential sanctions and ensuring the security of your employees and clients.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.