ICO continues heavy GDPR penalty trend with fines amounting to £282 million in July 2019

​This case was subject to the General Data Protection Regulation 2018.

In September 2018, a British Airways notified the ICO of a “cyber-incident.”  Users of the BA website were being diverted to a fraudulent website through which attackers harvested customer details—these included names, email addresses, payment information and login credentials of the customers.  The ICO reported that the personal data of at least 500,000 customers was compromised in the incident.  

Following an extensive investigation, the ICO issued a notice of its intention to fine British Airways £183.39M for infringements of the GDPR on 8th July 2019.  It should be noted that the BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.  BA will now have 28 days to appeal the ruling before it is made final.

Merely a day after announcing the BA fine, the ICO pronounced its intention to fine Marriott International £99M for GDPR infringement in an incident that took place in November 2018.  The statement by the ICO reveals a data breach by Marriott that led to the exposure of personal records of around 339 million guests globally; this included 30 million guests from the EEA, and seven million guests from the UK. 

The “vulnerability” began in 2014 when the systems of the Starwood hotels group were compromised.  Marriott acquired Starwood in 2016, but the exposed customer information was not revealed until late 2018.  In the ICO’s statement, Elizabeth Denham, the UK Information Commissioner, confirmed that “organizations must be accountable for the personal data they hold and this includes carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

It has now been a year since the EU’s General Data Protection Regulation came into force on 25 May 2018. It replaced the patchwork of national data protection laws across the EU with a unified system that greatly increased the monetary penalties that regulators could issue, strengthened the requirements for consent to data processing, and created a new pan-European data regulator called the European Data Protection Board.  In the UK, the previous maximum fine was £500,000 (Facebook, 2018); the post GDPR record currently stands at more than £180M, for the British Airways data breach mentioned above. 

The European Data Protection Board has said that over 200,000 cases were reported in the first nine months of enactment, and about 400 data breaches are now being reported each month. 

The number of cases are expected to reach 36,000 this year—a 100% increase from last year. 

A recent survey showed that within the EMEA, 55% of M&A practitioners believe that transactions did not progress due to concerns around a company’s data/privacy protections and GDPR compliance.  This clearly demonstrates an increased focus on data protection and adherence to the new law.  This can be traced back to the significant fines that Data Protection Authorities (“DPAs”) are issuing for non-compliance—failure to comply with the GDPR can result in regulatory investigations, fines and damages claims.  DPAs now have the power to issue fines of up to €20M or 4% of annual global turnover (whichever is greater) for GDPR infringement. 

Many high-profile enforcement actions were carried out against tech businesses, leaving other sectors under the false impression that GDPR compliance was primarily a problem for the tech sector.  By issuing two heavy penalties on successive days against non-tech companies, the ICO has sent a clear message that breaches of GDPR by any businesses risk enforcement. 

Thus, businesses must use this opportunity to revaluate GDPR compliance and risks.  Data security measures should be routinely reviewed to ensure effectiveness against known and unknown threats and attacks.   As the law does not look like it is going to be repealed or even become less stringent any time soon, it is more important than ever for businesses to be aware of the law and its implications.