July 11, 2019

ICO Issues First Fines under GDPR to BA and Marriott

The ICO are hitting the headlines having issued their first fines under GDPR. Both British Airways and Marriott International were fined for breaching European data rules.

BA and Marriott face fines totalling almost £300m under GDPR

British Airways were fined £183m for a breach of their security systems. The breach occurred when their company website and mobile app were hacked and users were diverted to a fraudulent site. This enabled hackers to use the false site to steal the details of 500,000 customers.

Just a day after announcing their plans to fine British Airways, the ICO fined the hotel group Marriott International. Marriott was fined just over £99m for a data breach that resulted in personal data being stolen from 339 million guests. This included guests’ name, home address, telephone number, passport number, date of birth and other identifying information.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” information commissioner Elizabeth Denham said.

“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Why has the ICO started imposing huge fines?

These fines follow the introduction of the EU’s general data protection (GDPR) that came into force on 25 May 2018. It replaced the minimum standards of the Data Protection Directive. GDPR requires employers to ensure they are compliant in how they store, process and delete data.

I’m sure you’ll agree these fines show that the ICO fully intends to exercise its powers to ensure companies take GDPR seriously.

What is a breach and how are the fines calculated?

A GDPR breach can be as simple as an email or letter containing personal data accidentally being sent to the wrong recipient. Other examples include:

  • A lost or stolen laptop
  • Data redacted incorrectly
  • Data shared incorrectly with 3rd parties without permission or employee knowledge

So how are the fines calculated?

Breaches cost organisations up to £18m or 4% of annual global turnover. Businesses have 72-hours to report a breach. Individuals have easier access to their own data and the “right to be forgotten”. Furthermore, individuals have the right to know if their data has been hacked.

But these fines are for customer-data breaches. As a HR Manager my remit is employee data, so I don’t need to be concerned?

While your remit may not be as far reaching as the protection of customer data, these fines apply to both customer data and employee data. GDPR applies to you if you regularly deal with personal data, which includes present and past employees and suppliers, not just customer data.

Since GDPR came into effect we’ve received countless enquiries from clients concerned about unintentional data breaches. These include cyber security, employees inappropriately sharing confidential information and vicarious liability – you can read our blog to find out more.

In addition, Moorepay offer consultancy services to help you audit GDPR provisions from a human resources perspective. This included visiting or re-visiting your HR processes and records to identify vulnerabilities.

Want a round-up of stories like this delivered to your inbox?

About the author

Hannah Booth