The Information Commissioner’s Office (ICO), the United Kingdom’s data privacy regulator, recently published a statement confirming their intention to fine Marriott International approximately £93 million for a data breach that infringed the General Data Protection Regulations (GDPR).
GDPR develops a backbone – what can we learn from the recent British Airways and Marriott International GDPR fines?
The ICO have commented that they believe the breach originally occurred in 2014 within the systems of the Starwood Hotels Group. Interestingly, Marriott International only acquired the Starwood Hotels Group in 2016, but did not discover the data breach until November 2018. The ICO have issued a statement explaining that Marriott International failed to carry out a satisfactory level of due diligence when acquiring Starwood Hotels Group in 2016 and subsequently failed to ensure its systems were secure.
In a statement released on 9th July 2019, UK Information Commissioner, Elizabeth Denham, confirmed that:
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that does not happen, we will not hesitate to take strong action when necessary to protect the rights of the public”.
The ICO make it clear that they intend to use the increased powers given to them by the GDPR legislation in May 2018 without hesitation.
Before this, the largest fine the ICO had ever issued was in the sum of £500,000. Under the GDPR legislation introduced in May 2018, the ICO now have the power to fine up to 4% of a company’s turnover or £20 million, whichever is higher.
The British Airways and Marriott International fines can arguably be seen as the ICO test cases and it has been suggested that more frequent and larger fines are likely to come through in the future. The short timespan between these two announcements could potentially be seen as the ICO providing companies with a serious warning as to their duties under the GDPR legislation, and they clearly want the public to know that they are taking breaches of GDPR seriously and have every intention of enforcing the legislation in its fullest form.
If we can learn anything from the punishment of these two household names, it is that protecting customer’s data is of paramount importance. To find out more about how you can ensure that your business is compliant with GDPR legislation, please contact a member of Woodfines Solicitors' GDPR team on firstname.lastname@example.org
With offices in Cambridge, Milton Keynes and Bedfordshire, Woodfines Solicitors provide a full range of legal services to businesses and individuals.