Breaching the GDPR won’t fly with the ICO

This week’s announcements by the UK’s Information Commissioner’s Office (ICO) of its intention to fine British Airways and Marriott International £183M and £99M respectively, has not come as a surprise to many.

Information Commissioner Elizabeth Denham had given some strong clues in her recent ‘GDPR – one year on’ article and, as indicated, the ICO has now shown its willingness to take robust action.

British Airways and Marriott International are the first to bear the brunt of the ICO’s new powers and, based on the article, it sounds like more investigations are nearing completion that would demonstrate the actions the ICO “is willing and able to take to protect the public”.

The British Airways breach

The proposed fine relates to a major cyber incident last year that involved user traffic to British Airways’ website being diverted to a fraudulent site that harvested around 500,000 customers’ personal data. The compromised personal data included individuals’ names, addresses, log-in, payment card and travel booking details.

This is the first time, since the GDPR was introduced on 25 May 2018, that the ICO has used its new powers to fine businesses beyond the £500,000 cap imposed by the old Data Protection Act 1998 regime.

At this stage, it is unclear why the ICO decided on the £183.39M figure (which represents 1.5% of BA’s 2017 global turnover), but a number of factors could have contributed to the amount, including:

• the nature of the data involved (payment details);
• the amount of data subjects affected (approx. 500,000);
• the duration of the breach (reportedly around 15 days);
• and, possibly, the time taken for British Airways to report and remedy the breach (details of which are currently unclear).

The ICO could have fined BA up to 4% of its 2017 global turnover.

However, what is clear is that the ICO has the confidence, resources and resolve to flex its muscles.

The Marriott International breach

The proposed £99M fine also relates to a cyber incident affecting around 30 million data subjects in the European Economic Area, seven million of which were based in the UK. The incident occurred in 2014 when the systems of the Starwood hotels group were compromised, and was discovered in 2018, some two years after Marriott International acquired the Starwood hotels group. The ICO’s investigation found that the due diligence exercise carried out by Marriott International prior to its acquisition of the Starwood hotels group was inadequate and that it “should have done more to secure its systems”.

Next steps

Following the ICO’s statements, British Airways and Marriott International now have the opportunity to make representations to the ICO as to the proposed findings and the size of the fines.

In addition to this, under the GDPR’s one stop shop principle, the ICO is the lead supervisory authority of the investigations and will consider (along with the representations made by British Airways and Marriott International) representations made by other EU member state data protection authorities.

Following this, the ICO will decide its final actions.

There is also the potential for affected data subjects to issue claims against British Airways and Marriott International, including class-action style litigation claims.

What does this mean for businesses?

Bigger fines expected

These are the first multi-million pound fines threatened by the ICO against businesses active in the UK.  If issued, they will be the largest fines by far imposed by the ICO. The highest fines to date that have been issued (to both Equifax and Facebook) are £500,000. It could be argued that the impact to data subjects and society from the Equifax and Facebook breaches were more serious than both the British Airways and Marriott International breaches. The ICO has therefore set the bar high, and based on the severity of historical breaches, we can likely expect bigger fines in the future from the ICO.

It is worth noting that it is not only the ICO that is flexing its muscles. Earlier in the year, the French data protection regulator (the CNIL) issued a €50M fine to Google for breaching the GDPR. We expect other supervisory authorities around Europe to follow suit.

Brexit

As demonstrated by these breaches, the ICO, as the lead supervisory authority, is taking the reins and dealing with the breaches on behalf of other EU supervisory authorities whose residents have also been affected.

The situation in a no-deal Brexit world however would be different, as the one stop shop rule would only apply within the EU, which the UK would no longer be a part of. Therefore, in a breach situation concerning UK-based businesses, there may be two separate actions and enforcements – one by the ICO (acting alone), and the other, by an EU-based supervisory authority (acting as lead authority on behalf of other EU supervisory authorities). Each of which could independently issue sanctions against the party concerned.

This, combined with the ICO and other EU supervisory authorities’ recently demonstrated willingness to issue large fines, could spell trouble for businesses affected by breaches in the future.

What should businesses do?

• Check and tighten-up internal data breach procedures-remember the procedure to report is different in every country.  We would recommend stress testing them and carrying out mock data breaches with relevant key personnel;
• Ensure staff are trained to recognise and report data incidents as the longer it takes to recognise an incident the worse it will get;
• Ensure adequate privacy and security  due diligence is carried out prior to the acquisition of a business, and proper accountability measures are put in place to assess not only what personal data is being processed but also how it will be protected;
• Take out or review (carefully) existing cybersecurity insurance cover to ensure that, to the extent possible, losses relating to breaches are covered.