Opinion

Time to get serious about compliance

10th July 2019

Time to get serious about compliance

Multi-million pound fines for data protection breaches continue to make headlines, and act as a stern warning to all businesses that they need to be serious about compliance.

British Airways has the dubious honour of being the latest organisation to face a record £183m fine, while it was also announced this week that Marriott International is set to be fined £99.2m.

Higgs & Sons lawyer Katherine Cooke, a specialist in employment aspects of GDPR compliance, says although these eye-watering fines are still few and far between, all businesses, no matter what their size, need to ensure that they are compliant with the principles of GDPR.

She said: "GDPR came into force in May 2018 and is applicable to all businesses that use personal data. Our advice to companies is to regularly review your data protection protocols to ensure you continue to remain compliant and if in any doubt - seek legal advice.”

Previously, the largest fine imposed for data protection breaches had been Facebook’s £500,000 penalty for its role in the Cambridge Analytica data scandal - the maximum figure permitted under the Data Protection Act 1998. British Airways and Marriott International were both fined under the General Data Protection Regulations (GDPR), which give individual data subjects extended rights and the Information Commissioner greater powers and a wider range of sanctions.

British Airways was fined 1.5% of its 2017 worldwide turnover, which was less than the maximum penalty. For very serious breaches, organisations can be fined 4% of their annual turnover or €20 million - whichever is greater.

BA was found to have failed to take sufficient measures to secure the personal data of its customers. From June 2018 onwards, visitors to their website were diverted to a fraudulent site, where personal details such as names, addresses, log ins, travel arrangements and credit card details were harvested by hackers. The breach was first disclosed to the Information Commissioner in September 2018, and it is believed that 380,000 transactions were affected.

Marriott International also suffered a security breach. It appears that Starwood Hotel systems were first compromised in 2014. Marriott International acquired the chain in 2016 and a criminal attack against the guest reservation database was discovered and notified to the Information Commissioner in 2018. Marriott International was found to be culpable for the failings of Starwood through failure to undertake sufficient due diligence on purchase, and failure to act to improve system security.

The Information Commissioner’s respective statements on the fines state that both businesses have fully cooperated with the ICO investigation and have made improvements to their security arrangements. The ICO has been the lead supervisory authority investigating both cases, on behalf of data protection authorities in other jurisdictions.

Willie Walsh the Chief Executive of IAG (owners of British Airways) has indicated that the airline may appeal. It is also reported that Marriott International intends to appeal.

For further information or advice on GDPR services contact a member of the Commercial or Employment Teams on 0345 111 5050.

 

Other news

Contact us

3 Waterfront Business Park
Brierley Hill
West Midlands, DY5 1LX

Email: law@higgsandsons.co.uk
Call Us: 0345 111 5050

Follow @HiggsandSons on Twitter  Join Higgs & Sons on Facebook  Join Higgs & Sons on LinkedIn

Newsletter

Keep up to date with all the latest here.