The ICO has recently issued three material GDPR fines against British Airways (£20m), Marriott (£18.4m) and Ticketmaster (£1.25m). The fines are material, but likely to be a drop in the ocean compared to the material value of claims made against the organisations concerned.

Fines impact the balance sheet, but it is the litigation which controllers really fear in the current environment where group litigation and representative (essentially class) actions are the go-to vehicle for claims management companies, claimant law firms and litigation funders.

Any findings in ICO Monetary Penalty Notices centred around GDPR infringements, intentional or negligent acts, material and non-material damage (including financial loss, distress and loss of control/autonomy over personal data), are deeply troubling from a litigation perspective. This is the case, notwithstanding that ICO regulatory findings are not of themselves determinative in any litigation, given the alacrity with which they are frequently (and often lazily) quoted in letters of claim and particulars of claim.

GDPR fines have stolen the headlines over the last 2-3 years, however, soon the amounts claimed, damages awards in court judgments and commercial settlements will dominate instead, which will impact businesses and their insurers.

...the Commissioner has found that Marriott failed to process personal data in a manner that ensured appropriate security of the personal data...as required by Article 5(1)(f) and by Article 32 GDPR.

https://ico.org.uk/media/action-weve-taken/mpns/2618524/marriott-international-inc-mpn-20201030.pdf