GDPR hasn’t been a major talking point since a little over a year ago. That was when the new regulations kicked in, and most breathed a sigh of relief as it meant the emails from sites they’d signed up to years ago asking for continued consent to use data stopped.
Whilst the regulations threatened major fines, no stories of businesses using our data improperly emerged, and thus no punishments were given – until now. This week, the Information Commissioner’s Office (ICO) dished out the first two fines of the GDPR era to British Airways and the Marriott hotel group.
So, how heavy were these fines, and what were they given for?
British Airways – GDPR fine £183m
Hackers redirected traffic from BA’s website to a fraudulent version, allowing them to harvest the data of around half a million customers. The ICO criticised BA’s poor online security, which left data thieves able to harvest the names, email addresses and bank details of its customers. The eye-watering £183,000,000 fine – set to be disputed by BA – constitutes 1.5% of the company’s annual turnover. What really ought to shock other big businesses into taking data protection seriously is that the fine constitutes less than half of the maximum GDPR fine, which is 4% of a company’s turnover. In this case, the maximum fine would have approached an incredible half a billion pounds.
Marriott – GDPR fine £99.2m
Marriott’s data breach included the personal information of some 30 million customers of Starwood, a rival hotel chain absorbed by Marriott a few years back. It was ruled that Marriott had failed to conduct sufficient checks on the security of Starwood’s systems, leaving its historic customers vulnerable to data theft.
It’s too early to say whether the enormous fines handed to British Airways and Marriott will be the standard going forward. The ICO may have chosen to hand out by far its biggest fines ever to show big business that customer data protection is to be taken very seriously indeed, flexing its muscles to show off just how much more powerful it has become under GDPR. For comparison, the previous record fine for a data breach pre-GDPR was the £500,000 charged to Cambridge Analytica in 2018. The fine given to British Airways beats the previous record by a factor of 367.
If businesses weren’t taking GDPR and customer data protection seriously before, you can bet they are now.
If your business is holding onto customer data, whether on paper or old laptops and hard drives, check that you have continued permission to be doing so – all customers must have given their consent by May 2018. Anything that you don’t have permission to be holding should be destroyed, and that’s where we come in. View our shredding services section to find the right service for you.
Regular shredding and data destruction should form part of your company’s data protection policy, along with reviews into your business’ digital security. Failure to have a proper data protection policy in light of GDPR could result in your business’ wallet becoming a whole lot lighter, as British Airways and Marriott found out to their chagrin this week.