The maximum fine the Commissioner can impose for a breach of data protection laws increased from £500k under the Data Protection Act 1998 to €20 million or 4% of global annual turnover, whichever is greater, under GDPR. GDPR also introduced stronger data breach reporting and notification requirements.
The Commissioner has this month issued two notices of intention to fine in respect of some high profile data breaches that were notified after GDPR came into effect. The data controllers receiving these notices have been given time to make representations to the Commissioner, who will consider these before making a final decision.
The first notice, proposing a fine of £183.39 million relates to a cyber incident that British Airways notified to the Commissioner in September 2018. User traffic to the British Airways website had been diverted to a fraudulent site, which allowed the attackers to harvest details of around 500,000 BA customers, including log in, payment card and travel information along with names and addresses. The Commissioner has said that “a variety of information was compromised by poor security arrangements at the company”.
The second proposed fine of just over £99 million relates to a cyber incident notified to the Commissioner by hotels group Marriott in November 2018. A range of personal data in around 339 million guest records were exposed, about 30 million of whom were resident in the European Economic Area, including 7 million UK residents. The ICO says the vulnerability is believed to stem from systems of the Starwood hotels group, which Marriott acquired in 2016, with the exposure remaining undiscovered until 2018. According to the Commissioner: “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Both BA and Marriott have cooperated with the Commissioner and made improvements to their security arrangements since the incidents. In both cases the Commissioner acted as “lead supervisory authority” under GDPR for other EU Member States’ data protection authorities.
The proposed fines are a marker in the sand, showing the ICO intends to exercise its powers. Organisations should not be complacent about their data responsibilities, and if they have not yet done so they should ensure that cyber security and information governance is an issue considered by the highest levels of management. Operational risk in the event of a data breach comes not only from the ICO, but also from data subjects themselves. We are handling an increasing amount of data-related litigation against businesses and other organisations.
The Commissioner is not alone in imposing substantial fines post-GDPR, nor are they confined to data breaches. In January 2019 the French data protection authority fined Google €50 million for lack of transparency, inadequate information and lack of valid consent regarding Google’s “ads personalisation”.
It remains to be seen whether any of these fines will be revised following representations, or as a result of formal challenges.