Published: 10 July 2019

Reading time: About 4 minutes

This week it was announced that British Airways is facing a record fine of £183m and US hotel group Marriott International is to be fined £99.2m for GDPR breaches. They mark the two biggest fines for data breaches since the regulation was introduced in May 2018. In this CEO Perspective, Simon Cole reflects on what this means for data privacy and why it acts as a warning to all organisations across Europe.  

“The news this week should be seen as a major shift in how organisations view GDPR. This is about the ICO and the other regulatory bodies setting out the stall in terms of what they consider to be worth chasing and how they are going to approach such breaches. 

The ICO has been accused of dragging its heels in relation to taking action, but the last 24 hours have shown they have taken their time to investigate the incidents fully and give consideration to the behaviour of the breaching organisation. 

Both cases reflect the need for organisations to take notice of all the data they hold. It’s not good enough to say, “we have firewalls up” or “nobody can get into my premises”, this is an indication that whatever data you have and wherever that information is, you are responsible for it, even on the edge of your systems.  

To quote the Information Commissioner Elizabeth Denham, “People’s personal data is just that personal….When an organisation fails to prevent it from loss, damage or theft, it is more than an inconvenience.” Hence, that is why GDPR exists.  

I found the British Airways case an interesting one because it’s not that the hackers broke into BA’s systems, but they sat on the periphery and scraped that information, and yet the ICO and the other authorities still acted – and acted in a fairly strict way.  

The maximum BA could have been fined was 4% of annual turnover but in this case, they received a  fine of 1.5%. BA was quick in notifying the ICO that there was a breachand I suspect the leniency is a result of the cooperation. 

The Marriott incident, on the other hand, involved a breach of internal data and it is up to organisations to be able to identify that the data exists and ensure that that personal information is in a secure place.  

A key concern of the Marriott breach is that it occurred in an organisation they acquired and happened years before the acquisition. This identifies the effective reach of GDPR and that culpability cannot be easily be pointed elsewhere.  

The ICO clearly expected Marriott International to undertake appropriate due diligence and a security review as part of the acquisition and this will have ramifications for many other acquiring organisations. 

But for me, this isn’t about the two companies involved, this is about GDPR. It’s about the ICO showing that A) it has teeth and B) it is willing to act on these cases. 

If you look at the airline industry for example, when you consider the margins they operate on, a fine of this level is not insignificant and BA is going to feel this one. I think that is the fear for a lot of organisations. 

Many companies have significant turnover into the billions but perhaps are only making a slim profit against that. If you can imagine an organisation like that getting fined, it could quite simply take them out. They just wouldn’t have the reserves to deal with this.  

One of the fascinating things about the BA case is that while the ICO has been the lead supervisory authority here, they have been working with other bodies, so we can definitely gauge the European sense of GDPR.  

Last year, everybody rushed to get the mailing lists in order before May, but these incidents are nothing to do with marketing or a consent button on a website, this is everything to do with managing customer data, no matter where it is or how it is stored.  

It’s about making sure that you, as an owner of data, understand the data that you have and you do your utmost to both protect that information and prove that you are protecting that information – whether that is on your website or on your internal systems or data that you acquire. 

The reality is that the ICO and the other regulators are looking very clinically at organisations which have not had the proper control or management of data in place (in the case of Marriott four years before GDPR even existed).  

With combined fines totalling over £282 million this week (so far), the ICO has set out its stall and is now to be feared Organisations need to sit up and take note.”