ICO finds its feet with GDPR fines

Like buses, you wait ages for one, then two come along at once. We’ve been waiting for the ICO to issue fines under GDPR and in the space of a week, they’ve issued two (well, technically notices of intention to fine – the actual fines will follow later):

British Airways

Data of approximately 500,000 customers was affected by a cyber incident in 2018. This saw user traffic being diverted to a fraudulent site. BA’s poor security arrangements allowed the compromise of data including login details, name & address, payment card, booking details. BA cooperated with the ICO’s investigation and has since improved its security.


Data of roughly 339 million guest records was exposed, 30 million residents in the EEA and 7 million in the UK. A variety of personal data was affected when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016 but didn’t undertake sufficient due diligence and could have and should have done more to secure its systems. Marriott also cooperated with the ICO’s investigation and improved its security. 

What next?

Many people – me included – expected the first large fine to come from Germany where they are arguably much keener on protecting personal data. These fines even dwarf the French regulator’s €50m fine on Google.

First, it’s important to note, these fines aren’t final. The ICO has notified them both that it intends to fine them those amounts and has asked for them to make representations. It’s possible that, following those representations, the final amounts will be lower. The BA fine is approximately 0.8% of its parent IAG’s 2018 global turnover of €24.406 billion and the Marriott fine is about 0.6% of their 2018 global turnover of $20.75 billion. Neither of these are maximum fines under GDPR – which would be up to 2% of global turnover* – but certainly, if finalised at these amounts, they are by far the largest fines ever from the ICO. The previous highest fines were against Facebook in October 2018 and Equifax September 2018, both £500,000 which was the maximum permitted under the old law. And we may see higher GDPR fines in the future. (* 4% if it were to involve a failure to comply with basic principles for processing or the data subject’s rights.)

If you haven’t addressed GDPR already, now is a very good time to do so. And if your CFO told you there was no budget to sort out the handling of personal data, you might find that they have just discovered some budget…

Update 12/7/19: adjusted the figures in penultimate para

What's your view? Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s