GDPR fines are seemingly like buses, you wait over a year for enforcement action by the UK’s data supervisory authority, the ICO, and then two come along at once – and with quite dramatic effect.
The ICO has stretched its wings and in recent days has issued two notices of intent to fine following investigations. The companies in question can now make representations in an attempt to reduce the fines. Once the ICO issues a penalty notice, the companies can again appeal those fines.
The companies in question are firstly, British Airways, where the ICO has issued a notice of intent to fine the company £183.39 million ($228.89 million) which reportedly equates to 1.5% of their annual turnover and 5 months profit (using 2017 figures). This relates to a cyber incident that was discovered and notified to the ICO in September 2018. BA’s website was compromised causing 500,000 customers data to be harvested by attackers. In its investigation the ICO found that the information was compromised due to poor security arrangements.
The second company to be issued a notice of intent to fine is Marriott International, Inc who are set to be fined £99.2 million ($123.88 million). This again related to a security incident that the ICO was noticed about in November 2018. The personal data of approximately 339 million guests globally was compromised, 30 million of those were resident in 31 countries in the European Economic Area (EEA), 7 million in the U.K.
It is suspected that the system vulnerability dates back to 2014 and Marriott then subsequently acquired Starwood Hotels group in 2016. The security breach was not discovered until 2018.
The ICO noted: “Marriott failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems”.
The full statements from the ICO with regard to both of these incidents are available here and here.
The fines are in stark contrast to the previous highest fine in the U.K. of £500,000 under the prior legislation and certainly show a statement of intent from the ICO that in this new era the protection of personal data should be afforded the highest priority.
Watch this space for a further post/s once the ICO issues penalty notices with full reasons for their decisions.