They’ll never be so low again. Ask Marriott and British Airways
The Information Commissioner’s Office issued £3m worth of fines for data breaches in the year to April 2018 – a mere fraction of its recent proposed GDPR-enabled penalties on British Airways and Marriott.
Marriott’s got 99 million problems and the ICO’s one: Starwood hack mega-fine looms over
The UK data watchdog’s annual report for 2018/19 (PDF) reveals that it imposed a financial slap on the wrist on 22 occasions.
That includes the £500,000 fine against Equifax for its security debacle affecting the personal data of up to 15 million UK residents, and the same amount against Facebook over its data-harvesting scandal that affected an estimated 87 million users.
Under the UK’s Data Protection Act, the maximum fine was £500,000. But since the EU’s GDPR came into force on 25 May last year, companies are now liable to a penalty of up to 4 per cent of turnover.
Just this week, the ICO flexed its GDPR enforcement muscles for the first time. British Airways is facing a record fine of £183m for last year’s data leakage (1.5 per cent of its turnover), and yesterday it was revealed that hotel chain Marriott could be stung for £99m (3 per cent).
Although GDPR powers were in place during 2018/19, an ICO spokesman said none were used in that period due to the time it takes to investigate breaches.
UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt
Though last year’s fine might seem small, they are an increase on 2017/18, when the ICO issued just 11 fines totalling £1.3m.
During 2018/19, the ICO also issued 23 monetary punishments under the Privacy and Electronic Communications Regulation, for nuisance calls, totalling over £2m.
In a foreword to its annual report, Information Commissioner Elizabeth Denham said: “The ICO has covered an enormous amount of ground over the last year – from the introduction of a new data protection law, to our calls to change the freedom of information law, from record-setting fines to a record number of people raising data protection concerns.
“The biggest moment of the year was the General Data Protection Regulation (GDPR) coming into force. This saw people wake up to the potential of their personal data, leading to greater awareness of the role of the regulator when their data rights aren’t being respected. The doubling of concerns raised with our office reflects that.”
Other large fines included a £385,000 against Uber, relating to a security incident affecting the personal data of 2.7 million users and 82,000 drivers, and a £325,000 fine against the Crown Prosecution Service for losing unencrypted DVDs containing recordings of police interviews.
It also slapped Yahoo! UK Services Ltd with a £250,000 penalty relating to a breach affecting the data of approximately 500 million users worldwide. ®