We previously blogged about data protection breaches under the General Data Protection Regulation (GDPR) and how to deal with the aftermath. Since then, the Information Commissioner's Office (ICO) has issued its first fine using the GDPR, which came into force in May 2018, and accompanying Data Protection Act 2018.
Under previous legislation, the maximum monetary penalty that could be imposed by the ICO was £500,000. Only Facebook and Equifax have been the recipients of fines at the maximum level, falling safely within the umbrella of the old thresholds.
In terms of the GDPR, however, the maximum penalty which can be imposed on an organisation for a data breach is 20 million euros (or equivalent in sterling) or 4% of its total annual turnover in the preceding financial year, whichever is higher.
This week, not one but two organisations have been handed substantial fines by the ICO which has utilised the new limits available. These are the first reported fines under the GDPR and have been levied over a year after its introduction.
The ICO has issued Notices of Intent to fine British Airways a staggering £183.39 million and hotel chain Marriott £99.2 million. Both fines relate to cyber incidents compromising customer data which the ICO indicates could have been prevented had there been suitable security arrangements in place. Interestingly, it also noted that Marriott failed in its due diligence process when acquiring the Starwood Hotels group, whose systems were responsible for the vulnerabilities.
Unsurprisingly, both organisations reportedly intend to appeal - an option which is available for only 28 days after the Notice. Appeals are made to the General Regulatory Chamber of the First-tier Tribunal. Any monetary penalties are not retained by the ICO and instead belong to the Treasury's Consolidated Fund.
If organisations were starting to lapse into a sense of security after a year of data protection-hyper awareness, they will no doubt be on red alert once again. One year after GDPR implementation, now might be the time to review internal data protection policies and procedures to determine how well they are working in practice.
Our data protection team can assist in ensuring that you don't need to pay the unaffordable price of a data breach.