In the space of just a week, the Information Commissioner’s Office (ICO) announced plans to fine both British Airways (BA) and Marriott International the largest ever fines under the new General Data Protection Regulation (GDPR).
BA and parent company International Airlines Group (IAG) were fined a proposed £183.39 million – a record under GDPR. It relates to a cyber-attack last year which saw the personal data of over 500,000 customers compromised. Marriott are set to face a £99.2 million fine for a sustained breach which exposed the personal data of around 330 million guests globally.
While the maximum GDPR fine is 4% of the company’s global turnover, the fines for BA and Marriott only represent around 1.5% of their respective turnovers. The leniency of the commission could reflect both companies cooperating with their respective investigations.
Nonetheless, two record fines in short succession will make for worrying reading for the likes of Google and Facebook, with both currently facing investigations for GDPR violations. Following the Cambridge Analytica scandal – which fell under the remit of the former Data Protection Act, Mark Zuckerberg’s firm now faces a fresh GDPR investigation from Irish regulators following a data breach that affected almost 50 million Facebook accounts.
After receiving a fine of £44 million from French regulators, Google are also in the spotlight once again as the ICO investigates the company for leaking personal data from their advertising platform.
Jade Greenhow, Operations Director at Insight Data comments:
“Without question, the proposed record fines for BA and Marriott, and the ongoing investigations at Google and Facebook clearly demonstrates the ICO and other data regulators are taking GDPR violations incredibly seriously.
“It’s undoubtedly a wake-up call for businesses large and small, especially those that do not have adequate safeguarding procedures in place to protect customer data. The case of Marriott is particularly important for the glazing industry, especially as we see growing consolidation in the market with a spate of high-profile mergers and acquisitions.
“Their case refers to a breach at Starwood Hotels and Resorts – a subsidiary of Marriott International. The breach began in 2014 – two years before Marriot had even bought the business, and was not spotted and reported until 2018. It’s therefore absolutely vital that business owners carry out proper due diligence before any acquisition takes place, and that proper structures are introduced to protect the personal data of customers, suppliers and employees which has also been acquired in the sale.
“For too long, businesses across the industry have believed they are too small to worry the ICO. With flying under the radar no longer an option, it’s never been so important to ensure your business complies with GDPR. At Insight Data, we work with businesses across the supply chain to provide a cost-effective and compliant solution which allows them to stay on the right side of GDPR, whilst still effectively marketing to prospective customers.”