25 May 2018 is a date likely etched on the hearts of information controllers everywhere: the date the General Data Protection Regulation (GDPR) came into force. Fifteen months on from the introduction of GDPR, what changes have we seen? Have any companies received the dreaded fine of 4% of their annual global revenue?
As we are likely all aware, the EU GDPR is the most important change in data privacy regulation in 20 years, transforming the way in which personal data is collected, shared and used globally. Most processing of personal data is now subject to the GDPR. The Regulation requires a lawful basis for processing data, incorporates seven key principles (such as accuracy, accountability and data minimisation) and provides various rights for individuals (such as the right of access and the right to object).
So what fines have resulted since the GDPR came into force? The powers of the Information Commissioner’s Office (ICO) were bolstered significantly with its introduction.
The biggest fine to date has been for £183.39 million. In July 2019, the ICO announced that it had fined British Airways and its parent company, International Airlines Group (IAG), in connection with a data breach that took place last year – affecting 500,000 customers who had browsed and booked tickets online. This fine was 1.5% of BA’s total revenues for the year ending December 2018, but could have been as much as 4%.
A day later, the ICO fined Marriott International £99.2 million. This related to a cyber-breach in another hotel chain that Marriott subsequently bought.
As this breach was reported to the ICO in November 2018 (once GDPR was in force), the fine was substantially higher than it would have been under the previous Data Protection Act. Under that Act the maximum fine would have been £500,000.
Looking to the rest of Europe, a hospital in Portugal was fined €400,000 (roughly £350,000) for a range of failures, including a profile management system which showed the profiles of 985 registered doctors (despite the fact that there were only 296 doctors engaged at the hospital) and gave doctors unrestricted access to all patient files, regardless of the doctor’s specialty.
We can see that data regulators such as the ICO are not afraid to issue large fines and that data privacy and protection are to be taken seriously. Although the fines highlighted above are at the higher end of the scale, it is likely that more will follow. These have been imposed on a range of companies – such as a hotel chain and a hospital, not just tech companies as you might expect.
Going forward, the ICO has stated that its main areas of focus will be:
- cyber security;
- AI, big data and machine learning;
- web and cross-device tracking for marketing purposes;
- children’s privacy;
- use of surveillance and facial recognition technology;
- data broking;the use of personal information in political campaigns; and
- freedom of information compliance.
Companies should continue to audit their current compliance and ensure that staff are adequately trained in GDPR. It is worth noting that BA was externally hacked and no customer suffered any financial loss, yet they received a substantial fine nonetheless. Marriott was fined for IT security failings that were present before it even bought the company responsible, so companies need to take every precaution to avoid incurring hefty fines.