News & Events
Businesses would be forgiven for thinking that the GDPR has been asleep since its introduction just over a year ago. However, the Information Commissioner’s Office (ICO) has shown that it means business by announcing its intention to hand down its largest ever fine to British Airways for £183 million – its first fine under the General Data Protection Regulation (GDPR).
Just two days after this announcement, the ICO has flexed its muscle again by stating its intention to hand a fine of almost £100 million to Marriott International, the parent company of hotel chains including W, Westin and Le Méridien, which admitted that guests’ personal data records, including credit card details and passport numbers, had been stolen.
Under the ‘old’ data protection rules that pre dated GDPR, the maximum fine issued by the ICO was £500,000, which was handed to Facebook over the Cambridge Analytical scandal back in October 2018.
In the case of British Airways, the ICO’s investigation found that approximately 500,000 customers’ personal data was compromised by poor security arrangements. Whilst BA notified the ICO of the incident in September 2018, the ICO has said it believed the incident begin in June 2018, some three months earlier.
BA now has 28 days to make representations to the ICO on the proposed fine and actions; the ICO would then consider these before making its final decision.
Since the introduction of the GDPR on 25 May 2018, the ICO has had the authority to issue eye-watering fines up to a maximum of 4% of a company’s annual turnover. In light of its proposed fines for BA and Marriott, it looks like the ICO is not afraid to use this new power to wield shareholder-affecting penalties.
The ICO will, in our view, target the larger companies for lead fines but will also look at SMEs, which are bound by exactly the same rules – so it’s vitally important that businesses of all sizes ensure they understand the value of the personal data they hold, handle it sensitively and treat it with the utmost care.
For help and advice on ensuring your business is GDPR compliant, please contact our friendly commercial law team on 01482 325242