The ICO is not messing around. Within the span of just two days, the regulator has announced its intent to hand out fines of £183m and £99m to British Airways and Marriott Hotels respectively.
While some believe that BA and Marriott are being made examples of, the truth is that the two companies got off relatively easy. Under the new GDPR legislation, they could have been fined even a lot more. In this article we’ll look at what these fines were all about - and why the next fines are only going to get bigger.
The General Data Protection Regulation, commonly known as GDPR, is an effort at updating and aligning data protection legislation across the EU. Coming into force in the UK last May under the Data Protection Act 2018, it is meant to protect consumers’ personal data from misuse.
The GDPR introduced a number of new sanctions for companies that breach data protection rules, as well as setting up new regulatory bodies where ones did not previously exist. In the UK, enforcement of data protection regulation is handled by the ICO - who is responsible for handing out the fines.
The ICO is the Information Commissioner’s Office. The Information Commissioner - currently Elizabeth Denham - is charged with upholding information rights in the public interest. This includes not only the Data Protection Act and GDPR, but also regulation including the Freedom of Information Act, Investigatory Powers Act and others.
The fines for British Airways and Marriott Hotels are at this point recommendations made by the ICO - the companies will have a chance to respond and make representations for their case. Both companies will likely appeal the ICO’s initial decision, but it is unlikely that these appeals will be unsuccessful. In fact, the ICO was relatively lenient with them, as we'll see below.
Between August and September 2018, customers purchasing tickets from British Airways’ website or app had all the details they entered become exposed to a malicious attacker. BA’s statement is sparse on details, but we do know that about 500,000 individuals were affected, and the data stolen included names, email addresses and credit card numbers.
The Marriott fine is for a data breach that started in 2014 - but was only reported to the ICO in 2018, after the GDPR came into force. It included the exposure of the personal details of 339 million customers, 30 million of whom are EU residents.
Considering how many customers were affected in both breaches, it would be hard to argue that the fines were excessive. The British Airways breach especially caused distress and extra work for affected individuals, since they had their full credit card details exposed.
In fact, both BA and Marriott got off relatively easily. GDPR allows a maximum fine of 4% of a company’s annual turnover to be fined as a penalty for breaching the regulation. BA’s fine amounted to around 1.5% of the company’s turnover, whereas Marriott’s was around 0.625%. At 4%, the fines would have been £480 million and £640 million for BA and Marriott respectively.
The money fined by the ICO does not go the victims of the breaches, though they can and are suing for civil compensation separately. The ICO instead shares money with other EU regulators based on the number of affected individuals in each country, who can then do with their share as they deem right. ICO’s own share goes directly to HM Treasury.
Some believe that the ICO is only making an example out of these two companies, and some others think that the companies will successfully challenge these fines and have them reduced. The truth, however, is that the GDPR has completely changed the regulatory landscape - and this is only the beginning of a new norm.
The BA and Marriott fines are more than reasonable under the GDPR framework - neither are even half of the maximum possible fine - and so there is no reason why they won’t be successfully carried through to the end by the ICO. Once these first fines are safely in the Treasury, the ICO will have increased confidence to pursue even higher fines on the next set of offenders.
Unless companies start investing in cyber security and data protection as a matter of urgency, fines like the ones levied this week are going to become a regular occurrence. If you’re a business owner and aren’t sure whether your company’s policies and training are up-to-scratch, now might just be the time to start taking the GDPR seriously.
Read Next: The Guide to GDPR Training