ICO propose huge GDPR penalties

In recent weeks, the Information Commissioner’s Office (ICO) has published several headline-grabbing notifications under the extended powers conferred under the Data Protection Act 2018 (which incorporated the General Data Protection Regulation (GDPR) into UK law).

On 8th July 2019, it was announced that the ICO intended to impose a fine of £183million on British Airways arising out of a data breach in June 2018 whereby the personal data of 500,000 passengers were compromised when hackers were able to point BA’s website to a cloned site from which data was harvested.  

People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.

The next day, the ICO announced their intention to impose a fine of £99million on Marriott International again arising out of a data breach compromising the personal data of c30million customers.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

Both companies have expressed their intent to contest the penalties proposed. The ICO has stated that it will consider their representations before publishing final decisions.

What steps has your company taken to protect against data breaches?

By Paul Sullivan FRSA

Creating unique, engaging content for your law firm clients