The ICO announces landmark intended fines under GDPR for data breaches
Patricia Jones

The Information Commissioner’s Office (ICO) has recently demonstrated that it will take a hard line on data breaches announcing on 8 and 9 July 2019 that it intends to fine British Airways  £183.39 million and Marriot International £99.2 million.

Both fines relate to cyber incidents. In the British Airways incident the personal and financial details, including contact and payment card details, of approximately 500,000 customers were harvested. The ICO’s subsequent investigation found that information was compromised by poor security arrangements.

In the Marriot incident a variety of personal data, including email addresses, phone numbers, dates of birth and passport numbers, from approximately 339 million guest records globally were exposed. Whilst Marriott notified the breach to the ICO in November 2018, it is thought the vulnerability began in 2014 when the systems of the Starwood hotels group were compromised. The ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood in 2016 and should have done more to secure its systems.

Fines for a GDPR breach can be up €20 million or 4 per cent of annual global turnover, whichever is higher. The intended fines are two of the largest ever levied by the ICO amounting to 1.5 per cent of British Airway’s turnover and 2.4 per cent of Marriott International’s turnover reflecting the ICO’s view of the gravity of the breaches. Interestingly had Marriott International discovered and disclosed the data breach prior to 25 May 2018, it would have been fined under the previous Data Protection Act, which had an upper fine limit of £500,000.

British Airways and Marriott International now have the opportunity to make representations to the ICO regarding their intended fine before the ICO makes its final decision. However, these intended fines serve as a reminder that GDPR compliance is not optional and is underpinned by strong enforcement powers which the ICO is willing to exercise. Should you wish to discuss data breaches or GDPR compliance generally please contact Amy Chandler or Patricia Jones.

Back to homepage