ICO crackdown on GDPR non-compliance – a stark warning to others

Recently, the Information Commissioner’s Office announced its intention to issue two landmark fines – £183 million against British Airways and £99 million against Marriott Hotels.

Prior to these fines, the maximum data protection fine issued in the UK was £500,000 under the previous regime that existed prior to the introduction of the GDPR in May 2018.

In light of this sudden crackdown on large firms, Justin Ellis, a Director at iLaw and a specialist in data protection regulations, is calling on businesses to take urgent action to review their own policies and procedures to ensure they are compliant with the General Data Protection Regulation (GDPR), under which these fines were issued.

Justin said: “The £183 million fine against British Airways was significant, but to follow up with another fine of almost £100 million against Marriott Hotels in the same week clearly indicates that the ICO is serious about upholding the GDPR.

“In both instances, the fines are actually below the maximum penalty that can be issued, which shows just how significant action by the ICO can be if it chooses to flex its muscles. There is still a significant backlog in cases from the previous data protection regime, but I suspect that we’ll see more and more of these higher fines coming through in the next few weeks as the ICO seeks to make a statement.”

One interesting factor in the Marriott fine is that it is believed that the IT vulnerability which led to over 300 million guest records being exposed globally had begun in 2014, but the problem wasn’t reported until November 2018.

The vulnerability had been inherited when Marriott bought the Starwood hotel group in 2016, and the ICO concluded that Marriott had failed to conduct sufficient due diligence in relation to that purchase.

Even so, the fine has been levied under the GDPR rather than the milder Data Protection Act 1998, which was in force at that time.

Justin has reiterated previous warnings to businesses of all sizes – they should be setting time aside regularly to review their existing procedures to make sure they are compliant. The Marriott case demonstrates the need to be extra-vigilant when acquiring a consumer-facing business.

“By now most businesses should have a policy in place for preventing and reporting breaches and where required, have a data protection officer who can maintain the correct standards, but it’s a case of ensuring that those policies are enforced and kept up to date,” he said.

“Prior to these fines there appears to have been a view in some circles that the ICO had no teeth, but I am sure most would now agree that it is serious about the job it has been set.”

To find out how iLaw can assist with data protection advice and GDPR compliance, please contact us.