ICO crackdown on GDPR non-compliance should stand as a stark warning to others, says iLaw

In the last few days, the Information Commissioner’s Office has announced its intention to issue two landmark fines – £183 million against British Airways and £99 million against Marriott Hotels.

In light of this sudden crackdown on large firms, innovative London legal firm, iLaw is calling on businesses to take urgent action to review their own policies and procedures to ensure they are compliant with the General Data Protection Regulation (GDPR), under which these fines were issued.

Prior to these fines, the maximum data protection fine issued in the UK was £500,000 under the previous regime that existed prior to the introduction of the GDPR in May 2018.

Justin Ellis, a Director at iLaw and a specialist in data protection regulations, said: “The £183 million fine against British Airways was significant, but to follow up with another fine of almost £100 million against Marriott Hotels in the same week clearly indicates that the ICO is serious about upholding the GDPR.

“In both instances, the fines are actually below the maximum penalty that can be issued, which shows just how significant action by the ICO can be if it chooses to flex its muscles. There is still a significant backlog in cases from the previous data protection regime, but I suspect that we’ll see more and more of these higher fines coming through in the next few weeks as the ICO seeks to make a statement.”

One interesting factor in the Marriott fine is that it is believed that the IT vulnerability which led to over 300 million guest records being exposed globally had begun in 2014, but the problem wasn’t reported until November 2018.

The vulnerability had been inherited when Marriott bought the Starwood hotel group in 2016, and the ICO concluded that Marriott had failed to conduct sufficient due diligence in relation to that purchase.

Even so, the fine has been levied under the GDPR rather than the milder Data Protection Act 1998, which was in force at that time.

Justin has reiterated previous warnings to businesses of all sizes – they should be setting time aside regularly to review their existing procedures to make sure they are compliant. The Marriott case demonstrates the need to be extra-vigilant when acquiring a consumer-facing business.

“By now most businesses should have a policy in place for preventing and reporting breaches and where required, have a data protection officer who can maintain the correct standards, but it’s a case of ensuring that those policies are enforced and kept up to date” said Justin.

“Prior to these fines there appears to have been a view in some circles that the ICO had no teeth, but I am sure most would now agree that it is serious about the job it has been set.”

Justin said that those businesses who were unsure about whether they were compliant with the GDPR should seek urgent professional assistance.

To find out how iLaw can assist with data protection advice, please visit www.ilaw.co.uk