It’s just over a year since the introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018. Since then, there has been a huge increase in the number of breaches reported, driven by stricter disclosure requirements and greater awareness among businesses and the public about the importance of security and data privacy.
But one consequence that was notably absent in the opening months of the GDPR regime was the lack of the promised large fines for companies that do suffer serious breaches. Although France’s privacy regulator hit Google with a €50 million (£44 million) penalty for how it used personal data in advertising, we haven’t seen companies penalised strongly for data breaches.
However. commentators had warned that the lack of immediate fines reflected the fact the regulators take time to fully investigate incidents and reach conclusions – and as GDPR does not apply retroactively and only breaches reported after its introduction fall under its remit, it would take time before the full extent of regulator’s new punitive powers was seen.
BA and Marriott first to feel the heat of GDPR
This prediction has now been proven true with the news this week that not one, but two major business have been hit with multi-million pound fines that would not have been possible prior to GDPR.
On Monday, (July 8th), the Information Comissioners’ Office (ICO) announced its intention to hit British Airways (BA) with a £183.39 million fine for its 2018 data breach, which saw hackers infiltrate the company’s booking website and gather personal and financial details of up to 500,000 people.
Then, just a day later, the ICO also revealed it intended to fine hotel chain Marriott International £99.2 million under GDPR rules, relating to a breach that exposed the details of 339 million guest records globally, including seven million in the UK.
Mariott’s case may be the more significant of the two as, while it was reported to the ICO in November 2018 – and therefore coming under the remit of GDPR – the vulnerability actually originated in systems belonging to Starwood hotels group in 2014, two years before it was acquired by Marriott and four years prior to GDPR. However, the ICO said Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
What’s more, even though the chain is US based, it was still subject to GDPR rules because the data it held related to European citizens – in total, some 30 million compromised records belonged to residents of the 31 nations in the European Economic Area.
A stark warning for businesses
While warnings about the extent of potential fines under GDPR have been around since the regulations were first published, seeing it in action may give many businesses that have neglected their security the shock they need to improve their systems.
As the Marriott breach showed, vulnerabilities do not have to be new to attract huge fines, while in BA’s case, the size of the penalty reflects the fact that highly sensitive information – including names, addresses, travel details and payment card information including CVV numbers – was stolen.
It could, however, have been much worse. The £183 million penalty represents 1.5 per cent of BA’s turnover for 2017 – far less than the four per cent maximum the ICO could have imposed on the firm. But compared with the maximum fine of £500,000 that it would have been able to issue under the previous regime, it marks a huge step up.
Commenting on the Marriott fine, Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
She added personal data has clear value, so organisations have a legal duty to ensure it is safe, just as they would with any other asset. Those that fail in this responsibility can expect stringent enforcement action from the ICO.