On 8th July 2019 the ICO issued a notice of its intention to fine British Airways £183.39 million for infringing the General Data Protection Regulation (GDPR).  This breach related to an incident which became public in September 2018 where the personal data of approximately 500,000 customers was harvested by hackers.

The ICO have currently not given much information as to how they reached this percentage or this figure but stated that it found a variety of information was compromised by poor security arrangements.  The Information Commissioner, Elizabeth Denham has said:

People’s personal data is just that – personal.  When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.  That’s why the law is clear – when you are entrusted with personal data you must look after it.  Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways will have the chance to appeal this and have according to the press, stated that they will be making representations to the ICO.  The fine issued is short of the 4% of turnover which is the maximum permitted under GDPR, but this is a substantial fine given that the previous highest fine under the Data Protection Act was £500,000 (which is the maximum allowed under this Act).

Until further information is given by the ICO it is hard to determine how this fine was arrived at, but for the moment the point to take away is that the ICO are taking the security of personal data seriously and are not afraid to impose large fines where there has been a breach.

On 9th July 2019 the ICO issued a notice of its intention to fine Marriott International, Inc £99,200,396 for infringing the GDPR.  This breach related to personal data relating to approximately 339 million guest records which were globally exposed.

The vulnerability began when a company’s (who was later acquired by Marriott) systems were compromised in 2014.  Marriott acquired the company in 2016 and the exposure was not discovered until 2018.

The ICO found that Marriott had failed to undertake sufficient due diligence with respect to the acquisition and then didn’t do enough to secure the systems.

Again, we don’t have the full information as to how the amount of the fine was decided, but it is clear indication the ICO is taking enforcement under GDPR seriously and that fines are likely to be high.

Also, it is clear that due diligence regarding personal data is key when acquiring companies and businesses.

If you have any queries regarding personal data, data protection or GDPR, then please contact Lorna Kempsell on 01638 560556 or email lorna.kempsell@edmondsonhall.com