UK ICO shows its teeth with record breaking fines for GDPR breaches at Marriott & BA
By serving up the BA GDPR fine of £183m & following up with £99m for Marriott the UK ICO has signaled its intent to punish transgressions where Personal data has been put at risk.
The fact that the initial reaction from both BA & Marriott is that the fines will be contested only confirms that the new punitive approach is having its desired effect, both companies have questioned the size of the proposed fines.
The signal being transmitted by the ICO is that making sure data security, especially where it is in the context of protecting Personal Data is taken seriously within organisations.
BA’s squeals that the fine is excessive as nobody has provably suffered damage as a result of the breach will probably not prove a defensible position.
The Information Commissioner Elizabeth Denhams’ statement on the BA GDPR fine : “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fact that the fine represents 1.5% of BA’s global turnover, the maximum fine that could have been imposed is 4% means BA are unlikely to see much success in their proposed appeal and will probably only result in further damage to their brand should they proceed.
The Marriott group faces a similar dilemma, the groups reaction to claim in mitigation that they didn’t own the Starwood Hotels Group at the time of the offences will not cut much ice.
The UK ICO Statements on BA & Marriott
The ICO pointed out part of the buying company’s due diligence should have been to ensure that they were aware of any such failings
The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The Information Commissioner is clearly sending a message, companies that fail to put data security at their core and then find themselves the victims of a data breach will be dealt with severely, pleading that you didn’t know (Marriott) or you were the victim of a sophisticated attack (BA) are not necessarily mitigation.
The online world has been going through its own period of crisis. Google, Facebook etc. have since Cambridge Analytica had to deal with a new reality where Social media is now widely distrusted by its customers and have regularly been hit by billions of pounds in GDPR fines as European Regulators respond to breaches.
Having seen the writing on the wall, the Social Media giants for the first time in a very long time are having to respond to events rather than shaping them.
Ironically they seem to have forgotten where their huge incomes are derived, the social revolution has been based on a delicate balance of surrendering some valuable information about ones self in order to access services that are perceived as “free”.
As a result of revelations of systematic exploitation and casual sharing of personal data. Many of its customers are now actively distrusting the the organisations behind the Social media they love to use.
As a result the industry is in turmoil and the big players are now actively trying to regain credibility by actively portraying their privacy credentials.
As a result of the BA GDPR fine and fallout that is the inevitable consequence. The correct response from businesses in the service sector will be to re-assure customers, that they are taking their duty of trust seriously, as the current flurry of adverse publicity and doubtless more to come has put the industry under the spotlight.
The Service sector needs to look to its most important relationship that is the one with its customers, it’s time to review data security and learn the hard lessons that are presently being in-acted by the Social Media giants.
The Tamite Secure IT View
The Internet Age has redefined the relationship between the service industries and their customers, to which trust is intrinsic, this is an increasing trend and Big Data and the Internet of Things will further define the new reality.
GDPR has been a pivotal event in fostering a responsible attitude towards data and privacy across all industries.
The pressure on organisations to meet complex requirements, resulted in GDPR fatigue setting in for many businesses, who were slow to learn that GDPR compliance represents a journey rather than a destination that needs a marathon runners mindset rather than a sprinter.
New studies have revealed that nearly a third of European firms have still to make sufficient progress toward becoming GDPR compliant in the long term. A rise in prosecutions and companies receiving fines for breaking laws protecting consumers’ data are becoming public – and these fines have the potential to dent a company’s reputation and balance book.
Making Privacy by design and default part of the company culture will take time for firms who are still working to understand how GDPR is applied to their business model or industry. Undoubtedly there has been a sea change in how companies use and process data.
The anniversary of the introduction of GDPR coming into force, has seen businesses become more mindful of how and why they collect and store data and are taking steps to process this in a lawful way.
For a free consultation on your GDPR progress contact Richard Bristow Tamite Secure IT Sales Director