A year has passed since the implementation of the General Data Protection Regulation (GDPR) and it is clear that the Information Commissioner’s Office (ICO) is prepared to use the powers and sanctions available to it under the new laws.
Under GDPR, significant fines can be levied on organisations that breach data protection laws. In the most serious cases this can be up to 4% of a firm’s global turnover or €20 million (whichever is greater).
This was seen in action last week when the ICO announced its intention to fine British Airways and hotel group Marriott International £183.39m and £99m respectively for infringements of GDPR. The fine imposed on British Airways represents the highest fine issued by the ICO under GDPR thus far.
The companies will have 28 days from the issuing of the notice to appeal the decision. A final penalty notice will be issued in 16 weeks, providing a full explanation of the decision.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO issues fines proportionately based on the seriousness of the breach, the number of people affected, the type of data and the extent to which management failings allowed the breach or failed to mitigate the harm caused to the individuals affected.
High profile cases such as these also act as a deterrent and a warning to all firms that handle personal data. The Financial Times notes that there has been increased interest in cyber insurance and cyber security in the days since the notice, as firms seek to safeguard themselves against breaches.
It is therefore vital that all firms have robust policies and procedures in place regarding data protection and data security, as well as providing appropriate training for employees handling data. Firms should also protect themselves against cybercrime to take all reasonable steps to protect personal data from hackers.
If you require further support around GDPR, please contact RWA.