The ICO has said it intends to fine British Airways £183 million and the Marriott chain £99 million for data breaches each company had themselves notified to the Commissioner in compliance with the notification requirements under GDPR.
Both organisations have the chance to appeal against the proposed penalty, but in the meantime what this indicates is that the ICO is flexing its new muscles. Under the old rules, fines were limited to £500,000. Now they can go as high as €20 million (about £18 million) or 4% of the organisation’s global turnover, whichever is the higher.
Most people will agree that fines of that magnitude should make business leaders sit up and take notice, and yet across many different sectors of the economy, there is evidence that the old ways of thinking about data protection have not been shed.
Tim Heywood, a Data Privacy and Information Law Partner at gunnercooke llp, has warned businesses not to be complacent, especially as GDPR Phase 2 is on the horizon.
“The message from the regulator is clear – we are in a new era, one where data controllers are much more accountable to the people whose data they collect and exploit, and more accountable to the regulator who is charged with enforcing the rules.
“What many leaders still struggle to acknowledge is that the rush (and the investment) to be ready for 25th May last year was just Phase 1. Now is the time to initiate Phase 2 which is I think all about positively embracing the new rules, changing the organisation’s culture and actively promoting privacy across the organisation.
That takes more than a change in supply contract terms and improved privacy notices. In both the BA and Marriott cases, the organisation had ‘self-reported’, but what they had failed to do before the security breach was to carry out extensive, practical due diligence on the systems they were inheriting or already running. It is simply not enough to rely on contractual assurances from suppliers and the third parties, vital though those contractual assurances are.
“For every organisation, compliance now needs a genuine change programme and a new set of leadership priorities, fit for the digital era.The more agile and forward-thinking organisations already find that by putting privacy centre stage they are rewarded by raised levels of trust their customers will place in them. Trust and authenticity are highly valued by the so-called Z Generation. They want to know they can trust you to handle their data responsibly and honestly.”
Wir verwenden Cookies, um Inhalte und Anzeigen zu personalisieren und die Zugriffe auf unserer Webseite zu analysieren. Sie können sich jederzeit gegen die Verwendung von Cookies entscheiden.AnnehmenAblehnenMehr erfahren
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.