Monday, August 19, 2019

ICO issues unprecedented fines for data breaches

We predicted when we last reported on GDPR in April, that it would not be long before we started to see significant fines under the new GDPR regime.

This has now proved to be the case with the ICO recently announcing its intention to fine two large, well-known organisations, namely British Airways and the Marriot Hotel Chain, who between them received fines totalling almost £300m.

GDPR bolstered the ICO’s fining powers significantly from the maximum fine of £500,000 under the DPA 1998 to €20m (£18m) or 4% of an organisation’s annual global turnover, whichever is the highest, under GDPR. Although the fine has not been issued by the ICO it is of interest to note that a $5bn fine has been issued to Facebook for its part in the Cambridge Analytica scandal; it will be interesting to see whether the ICO levies its own fine in due course!

It is believed that the ICO is using its new powers under the new regime to make an example of these companies for failing to protect their customers’ personal data and to act as a deterrent to others. In BA’s case, whilst the £183.4m fine may be the first major fine in the UK under GDPR, there is an argument that they are in fact getting off lightly, as this amounted to only around 1.5% of the company’s global turnover, whilst Marriot’s fine of £99m represented around 3% of the hotel company’s revenue from 2018.

The regulator arrives at its decision after weighing up the severity of the data protection breach – which includes the duration, the number of customers affected and other factors, including the level of cooperation of the company involved. Marriott’s fine was the result of a long-standing data breach over four years, between 2014 and 2018, which exposed in the region of 339 million guest records globally, whereas BA’s breach related to a cyber incident lasting for several months in 2018. This in part involved user traffic to their website being diverted to a fraudulent site and, as a result, the personal data of approximately 500,000 customers was compromised.

At the time of writing, both companies have said they will put up a vigorous defence and have 28 days to make representations. The ICO has a total of 16 weeks from issuing its notice of a proposed fine to deliver its final verdict. These initial decisions should come as a stark warning to organisations about how seriously the ICO are taking data breaches which expose consumer’s personal data. ICO commissioner Elizabeth Denham is quoted within the BA Statement as saying:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

It is important to remember that the detriment to organisations goes beyond the financial damage imposed by potential fines, as irreparable damage may also be caused to client trust levels, reputation and share prices. Data should be treated as one of your most valuable assets and ensuring that you collect, store and use this data securely and for a valid purpose is fundamental to your business’ long-term success.

The Breach Reporting module in our Risk & Compliance system is a useful tool to capture all relevant information in the event of data protection (and other) breaches. The module has recently been updated to include the type of data breached, whether the client has been notified, and the date the breach was reported to the ICO. There is also a prompt to ask if the breach was reported to the ICO within 72 hours. With the new SRA Standards and Regulations (Standard 7.2) requiring you to “be able to justify your decisions and actions”, effective use of our system modules will be imperative.

Should you require assistance with your ongoing obligations to comply with data protection legislation or to discuss the system and training packages we have available, please contact a member of our team on 01829 731 200 or email