The data privacy regulator, the ICO, has started issuing notices of intention to fine data controllers under the GDPR for data breaches. The maximum fine the ICO can impose for a breach of data protection laws increased from £500k under the Data Protection Act 1998 to €20m or 4% of global annual turnover, whichever is greater, under GDPR. GDPR also introduced stronger data breach reporting and notification requirements.
The ICO has this week issued two notices of intention to fine in respect of some high profile data breaches which were notified after GDPR came into effect. The data controllers receiving these notices have been given time to make representations to the Commissioner, who will consider these before making a final decision.
The first notice, proposing a fine of £183.39m relates to a cyber incident that British Airways notified to the Commissioner in September 2018. User traffic to the British Airways website had been diverted to a fraudulent site, which allowed the attackers to harvest details of around 500,000 BA customers, including log in, payment card and travel information along with names and addresses. The ICO's view was that
“a variety of information was compromised by poor security arrangements at the company”.
The second proposed fine of just over £99m relates to a cyber incident notified to the Commissioner by hotels group Marriott in November 2018. A range of personal data in around 339 million guest records were exposed, about 30 million of whom were resident in the European Economic Area, including 7 million UK residents. The ICO says the vulnerability is believed to stem from systems of the Starwood hotels group, which Marriott acquired in 2016, with the exposure remaining undiscovered until 2018. According to the regulator:
“The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Both BA and Marriott have cooperated with the Commissioner and made improvements to their security arrangements since the incidents. In both cases the Commissioner acted as “lead supervisory authority” under GDPR for the data protection authorities of other EU member states.
The proposed fines draw a line in the sand, showing that the ICO intends to exercise its new powers. Health and care organisations should not be complacent about their data responsibilities, and if they have not yet done so they should ensure that cyber security and information governance is an issue considered by the highest levels of management. Operational risk in the event of a data breach comes not only from the ICO, but also from data subjects themselves. We are handling an increasing amount of data-related litigation against businesses and other organisations.
The Commissioner is not alone in imposing substantial fines post-GDPR, nor are they confined to data breaches. In January 2019 the French data protection authority fined Google €50m for lack of transparency, inadequate information and lack of valid consent regarding Google’s “ads personalisation”.
It remains to be seen whether these fines will be revised following representations, or as a result of formal challenges.