In the space of two days the Information Commissioner’s Office (ICO) has announced its intention to levy large fines for breaches of GPDR, the first since the legislation came into force in May 2018. GDPR allows the regulator to fine companies up to £18 million or 4% of annual global turnover, whichever is higher.
The British Airways case
On Monday 8 July, the ICO announced its intention to fine British Airways (BA) £183 million after a lengthy investigation. Back in September 2018, BA was implicated in a cyber incident involving user traffic to their website being redirected to a fraudulent site, through which customer’s details were harvested by criminals. Around 500,000 customers had their personal data breached.
The ICO were notified of the data breach and began an investigation, which found that poor security arrangements (e.g. the log in and card payment systems) caused a variety of information to be compromised. BA worked with the ICO to improve these arrangements. The company will also have the opportunity to make their own representations regarding the outcome of the investigation.
In this case, the notice states an intention to fine BA 1.5% of their turnover. The fine could have been as high as £489 million. The company has 28 days to make representations (i.e. appeal the findings or sanction), following which a final decision will be made.
The Marriott International case
On Tuesday 9 July, the ICO announced its intention to fine another company, this time to hotel firm Marriott International, £99 million. Again, the fine relates to a cyber incident in which the personal data of around 339 million guest records were exposed. Seven million of these were UK residents and a total of 30 million were from countries in the European Economic Area, who, under EU rules, are also covered by GDPR.
This case is unusual in that the cyber incident happened in 2014 when the Starwood hotels group were compromised. Marriott acquired Starwood in 2016, however did not discover the data breach until 2018. The ICO’s investigation found that Marriott should have done more to secure their systems, and failed to undertake sufficient due diligence. Like BA, Marriott now have the opportunity to make representations to the ICO before the fine is confirmed.
Both cases demonstrate the ICO’s determination to take action against organisations which fail to adequately protect personal data. The Information Commissioner, Elizabeth Denham has said:
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”