Looks like the GDPR honeymoon is now over
Just when you thought the General Data Protection Regulation (GDPR) dust had settled, the Information Commissioner’s Office (ICO) have announced their intention to fine British Airways (BA) £183.39million and Marriott International (Marriott) £99,200,396.
The ICO appeared to have a relatively quiet 12 months, following the influx of GDPR-centric news at the beginning of 2018, seemingly taking a light-touch approach to enforcement; which reasonably gave businesses a chance to get up to speed with their new enhanced obligations.
It seems however, that in the background, the ICO has been hard at work and have just burst back into the news with the announcement of two shocking fines and the publication of their annual report.
Both BA and Marriott suffered serious cyber security breaches at the end of 2018 with the personal data of 500,000 and 30 million (respectively) European customers being compromised, and for Marriott, 339 million international customers.
Unsurprisingly, the ICO have flexed their muscles and utilised their ability to fine up to 4% of a company’s revenue.
Of course there were a number of considerations taken before the ICO issue these fines (including the failings of the two company’s) and they are likely to be challenged by BA and Marriott, but they certainly prove the ICO’s hard stance on the need to protect your customer’s data whether it is directly the company’s fault, or if you have been hacked.
It’s not all about the ICO…
After the bombardment of information and news surrounding GDPR’s introduction no one could blame you for trying to block out any mention of the dreaded GDPR, but predictably it seems that beneath the surface the ICO gained a lot of public support.
In the words of the ICO, in their annual report: “the public has woken up to the potential of their personal data” and in support of this statement have released helpline and complaints statistics – showing a 66% increase in contact and advice services, and a staggering 98% increase in complaints!
Clearly, customers are not only becoming more aware of their data being protected (and how it’s used) but are actively making sure companies (big or small) are held to account when that protection is not there.
So, what’s next?
With the fines under the previous law being capped at £500,000, there is no doubt that these vastly increased fines will cause some shockwaves for businesses and act as a deterrent to ignoring their obligations.
The ICO have announced that they are currently looking at 12 further “significant cases” so combining that with the overwhelming public support; it would seem that, as predicted in our previous blog, the GDPR honeymoon is officially over.
One thing is clear, if you haven’t already – it’s time to make sure you’re compliant!
It certainly isn’t too late, but you shouldn’t hang around; this means reviewing (or in some cases creating) policies and internal procedures detailing what data is used, how and why you use it, where it is stored (and how long for) and perhaps most importantly in light of the fines, how you protect it!
If you would like to discuss data protection and how to make sure your business does not fall foul of the GDPR, please do not hesitate to contact Olivia French on 020 7288 4778 or by email at OliviaFrench@boltburdon.co.uk. Alternatively please contact another member of the team who would be happy to help.