If anyone had been lulled into a false sense of security by the absence of the much vaunted mega fines in the aftermath of GDPR coming into force, then they would have been rudely awakened when in July 2019 the ICO announced their intention to fine British Airways and Marriott International £183.39m and £99.2m respectively, the largest issued to date.
Even though British Airways reported the breach (which related to the loss of the personal data of 500,000 customers after hackers redirected user traffic to a fraudulent website) and fully co-operated with the ICO’s investigation, it still wasn’t enough to avoid a fine. The ICO heavily criticised them for their poor security arrangements.
It was a similar case with Marriott who were found to have failed to undertake sufficient due diligence and should have done more to secure their IT systems.
These fines should serve as a warning to companies everywhere about how seriously data protection authorities are taking their duties. The UK Information Commissioner Elizabeth Denham said,
“personal data has a real value, so organisations have a legal duty to ensure its security, just like they would any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public”.
If you haven’t previously prioritised data protection, it’s important to take effective steps now. The ICO has previously indicated that it will consider the level of compliance when determining fines.
If you need any assistance with GDPR compliance, please contact us.