In the first weeks of July, the ICO has announced its intention to impose two major fines relating to breaches of the General Data Protection Regulation (GDPR). When the GDPR came into force on 25 May last year, some of the most eye-catching coverage was the ability of national enforcement agencies – in the case of the UK, the Information Commissioner’s Office, or ICO – to raise substantially higher fines than under the old data protection regime.
The new fine limit is either 4% of worldwide turnover or 20 million euros, whichever is the higher.
The BA case
In the first of these two cases the ICO announced its intention to fine BA over £183 million. The GDPR breach leading to this fine occurred in 2018 and affected the data of around half a million of BA’s customers. Cyber attackers exploited a vulnerability of BA’s website to divert customers to a fraudulent site from which their details could then be harvested.
Since the breach occurred, security measures have been upgraded and BA has fully co-operated with the ICO investigation.
The Marriott case
Another business to find itself on the receiving end of an ICO Notice of Intention to fine, is Marriott International Inc. In this case the fine that the ICO intends to levy is over £99 million, for a breach affecting around 339 million guest records. Of these approximately 30 million were data records of EEA citizens, 7 million relating to UK citizens.
The exposure of client information that precipitated this fine dates back to 2014 and relates to a database used by a business called Starwood, acquired by Marriott in 2016. Marriott only discovered the issue in 2018 and at that point notified the ICO.
As with BA, Marriott has since improved its systems and it no longer uses the Starwood database. It also co-operated fully with the ICO investigation. However, the ICO found that Marriott hadn’t undertaken sufficient due diligence when it acquired Starwood, and that it should have done more to secure its systems.
GDPR – What happens from a Notice of Intention to fine?
A business has twenty-one days from the receipt of the Notice of Intention to fine to make representations to the ICO. At this point the formal Monetary Penalty Notice is issued and there is then a period of twenty-eight days within which either to pay or to appeal.
Both BA and Marriott have stated that they intend to defend their position, so further developments are likely.
What does a GDPR fine mean for your business?
The eye watering scale of these fines shouldn’t distract businesses of all sizes from the essential steps they need to take to comply and – crucially under the new regime – to demonstrate compliance with the GDPR. All businesses should have taken measures to ensure the security of personal data held, whether on a technical or organisational level.
GDPR breaches and how to manage GDPR in your business
So far as breaches are concerned, the time limit for reporting to the ICO is very tight at only 72 hours. As that is not restricted to working hours, the clock runs overnight and over the weekend. This makes having an agile and responsive breach procedure essential.
All businesses should have a breach policy and a register for recording all breaches, whether or not they reach the threshold for reporting to the ICO. Time spent in advance of a breach preparing a full breach response plan will pay dividends in meeting the 72-hour deadline.
Embedding a culture of breach reporting in the business encourages reporting for compliance purposes, but may also allow patterns or weaknesses to be identified, and steps to be taken to prevent recurrence. Staff training, and being able to evidence that such training has taken place, is vital to demonstrating an organisation’s commitment to upholding data protection standards.
Bright Solicitors – Helping to put GDPR policies and procedures in place
We have worked with many clients to put in place relevant GDPR policies and procedures, whether in relation to data breaches in particular, or data compliance more generally. We also help clients undertake risk assessment and analysis of breaches to decide whether they should be reported to the ICO, or whether an internal record is sufficient.
If you need any assistance with your business’s compliance activity please contact Katrina Smiles: Katrina.firstname.lastname@example.org