Employment News

News added on 30.07.2019


Data protection

Huge fines for data protection breaches are coming. Should you be worried?

The Information Commissioner’s Office (ICO) has announced that it has issued notices of its intention to fine British Airways (BA) £183.39 million and Marriott International, Inc. (Marriott) £99.2 million for infringements of the GDPR. What was the issue in each case and are these enormous fines a sign of things to come for smaller businesses too?

Although these proposed fines are enormous, they both relate to very large global organisations and the personal data of many customers being compromised. The ICO is also arguably using its first two investigations under the GDPR to provide a cautionary tale for other organisations. Smaller UK businesses that are responsible for personal data breaches won’t receive fines anywhere near these amounts, but that’s not to say you should be complacent as fines will be significantly higher, on average, than under the old data protection regime. There are two levels of fine that the ICO can impose under the GDPR. The first is up to €10 million or 2% of the company’s total worldwide annual turnover, whichever is higher. The second is up to €20 million or 4% of the company’s total worldwide annual turnover, whichever is higher. The higher level of fine covers infringements relating to the GDPR data protection principles and as one of these relates to the security of processing, it means the higher fine level can cover a personal data breach which infringes the security principle. Both the BA and Marriott proposed fines have been calculated based on worldwide annual turnover. The BA fine amounts to 1.5% of its worldwide turnover in 2017.

Back in August 2017, the ICO blogged that the GDPR is “not about fines. It’s about putting the consumer and citizen first. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point” as “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. Although BA and Marriott might well take issue with this blog post two years later given the massive fines they’re currently facing, theirs were not minor infringements and neither are either of the proposed fines the maximum permitted. If your business is responsible for a personal data breach as a result of poor security arrangements, you have to expect a receive a substantial fine - whilst this probably won’t be in the millions, don’t expect it to just be a few quid either! 

Poor security arrangements resulted in cyber attackers gaining access to the personal data of approximately 500,000 customers in BA’s case and 339 million global guest records being exposed in Marriott’s case. Both now have the opportunity to make representations to the ICO as to the proposed findings and sanction before a final decision is reached. Although fines will generally be larger under the GDPR than under the old data protection regime as the maximum fine is now €20 million or 4% of the company’s total worldwide annual turnover whichever is higher, so there’s no room to be complacent, maximum fines certainly won’t become the norm and neither will minor infringements result in massive fines as the ICO isn’t there to make an example of your business.  

© Indicator - FL Memo Ltd • Telephone: (01233) 653500 • Fax: (01233) 647100 • customer.services@indicator-flm.co.uk • www.indicator-flm.co.uk
Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ • VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719