UK Data Protection Authority announces record-breaking fines under GDPR legislation

The UK Information Commissioner’s Office (ICO) announced on 8th July 2019 their intention to fine British Airways £183.39 million for breaches of the General Data Protection Regulation (GDPR). Just one day later, on 9th July 2019, ICO announced their intention to fine Marriot International £99.2 million for similar failings.

Now over one year on from the GDPR coming into effect, data protection supervisory authorities are starting to conclude larger investigations that began after their broadened powers came into effect in May last year. As a result of this, companies are starting to see larger penalties per the GDPR provisions - particularly in the UK where ICO has continuously lobbied for greater powers, more resources and has a tendency to bare their teeth.

The UK’s Information Commissioner, Elizabeth Denham stated:
“Personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

With both incidents related to cyber security, the comments and decisions of ICO show that the ongoing security of personal data is paramount for companies who deal with large volumes of personal data, particularly when that personal data is sensitive. Failing to carry out due diligence on business partners and suppliers, as well as failing to secure internal systems, will not be taken lightly by authorities. Companies who may be lax on these issues will need to seriously revise their approach to data collection and processing in order to avoid audits and investigations. Although comments of the ICO show, however, that new processes won’t always be a quick fix – fines will be heaviest for companies with long standing and systematic problems in their approach to data protection. ICO is clearly pushing for an upheaval of the way companies see data privacy: not an afterthought, but a critical part of doing business.

Although ICO’s powers reside within the United Kingdom, data protection authorities Europe-wide tend to look to colleagues in other Member States when considering decisions and approaches. For this reason, fear of the hammer coming down hard and fast on companies without proper GDPR processes should be spread beyond the UK as well.

One thing is clear: the hype and fear around GDPR was not misplaced, and companies that have prepared properly have not been mistaken. Both British Airways and Marriott International intend to make representations and challenge ICO on their findings and subsequent penalties. It remains to be seen what the final amount will be for both companies.

You can find the official statements from ICO here:
British Airways