The ICO has said it intends to fine British Airways £183 million and the Marriott chain £99 million for data breaches each company had themselves notified to the Commissioner in compliance with the notification requirements under GDPR.
Both organisations have the chance to appeal against the proposed penalty, but in the meantime what this indicates is that the ICO is flexing its new muscles. Under the old rules, fines were limited to £500,000. Now they can go as high as €20 million (about £18 million) or 4% of the organisation’s global turnover, whichever is the higher.
Most people will agree that fines of that magnitude should make business leaders sit up and take notice, and yet across many different sectors of the economy, there is evidence that the old ways of thinking about data protection have not been shed.
Tim Heywood, a Data Privacy and Information Law Partner at gunnercooke llp, has warned businesses not to be complacent, especially as GDPR Phase 2 is on the horizon.
“The message from the regulator is clear – we are in a new era, one where data controllers are much more accountable to the people whose data they collect and exploit, and more accountable to the regulator who is charged with enforcing the rules.
“What many leaders still struggle to acknowledge is that the rush (and the investment) to be ready for 25th May last year was just Phase 1. Now is the time to initiate Phase 2 which is I think all about positively embracing the new rules, changing the organisation’s culture and actively promoting privacy across the organisation.
That takes more than a change in supply contract terms and improved privacy notices. In both the BA and Marriott cases, the organisation had ‘self-reported’, but what they had failed to do before the security breach was to carry out extensive, practical due diligence on the systems they were inheriting or already running. It is simply not enough to rely on contractual assurances from suppliers and the third parties, vital though those contractual assurances are.
“For every organisation, compliance now needs a genuine change programme and a new set of leadership priorities, fit for the digital era. The more agile and forward-thinking organisations already find that by putting privacy centre stage they are rewarded by raised levels of trust their customers will place in them. Trust and authenticity are highly valued by the so-called Z Generation. They want to know they can trust you to handle their data responsibly and honestly.”