Massive fines show the ICO is serious when it comes to upholding GDPR

When General Data Protection Regulation (GDPR) came into force in May last year, for most people the biggest frustration was the barrage of emails from brands clogging up their inbox. But for brands and marketers, GDPR has been a wake-up call for the way user data is gathered, used and protected.

From email subscriber lists to cookie consent, GDPR regulations keep website users safe from cyber crime and data harvesting. But many in the industry are choosing the flout the regulations rather than risk a drop in ad revenues. And the ICO have set a precedent. In the last few days has it become apparent that the consequences of not complying to GDPR regulations can be huge. To the sum of £183 million to be exact.

British Airways

On July 8, the veteran airline company was hit with a record £183 million fine for a breach in its security systems which happened in September last year.

Hackers carried out a “sophisticated, malicious criminal attack” in BA’s website, which diverted users to a fraudulent site. The hackers were reportedly able to access the site due to a vulnerability in third-party Javascript code. According to the ICO, the details of half a million customers were harvested by the attackers.

Information Commissioner Elizabeth Denham said: “when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Marriott

The US-owned hotel group has been fined £99.2 million for an incident thought to date back to 2014, which only came to light in 2018. About 339 million guests had their personal detailed exposed – 30 million of which were based in Europe and therefore came under GDPR regulations.

The data breach occurred within a rival hotel group names Starwood, which Marriott acquired three years ago. The ICO said that the Marriott had failed to properly review Starwood’s data practices and should have done more to fully secure its systems when it acquired the company.

Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

By going in hard on two internationally recognised brands, the IOC is setting a precedent and a warning to brands: adhere to GDPR or risk more than a slap on the wrist.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Massive fines show the ICO is serious when it comes to upholding GDPR

British Airways

Marriott

Contact us

Contact Us