Skip to main content

Massive fines show the ICO is serious when it comes to upholding GDPR

by Olivia Williams | 09.07.2019

When General Data Protection Regulation (GDPR) came into force in May last year, for most people the biggest frustration was the barrage of emails from brands clogging up their inbox. But for brands and marketers, GDPR has been a wake-up call for the way user data is gathered, used and protected.

From email subscriber lists to cookie consent, GDPR regulations keep website users safe from cyber crime and data harvesting. But many in the industry are choosing the flout the regulations rather than risk a drop in ad revenues. And the ICO have set a precedent. In the last few days has it become apparent that the consequences of not complying to GDPR regulations can be huge. To the sum of £183 million to be exact.

British Airways

On July 8, the veteran airline company was hit with a record £183 million fine for a breach in its security systems which happened in September last year.

Hackers carried out a “sophisticated, malicious criminal attack” in BA’s website, which diverted users to a fraudulent site. The hackers were reportedly able to access the site due to a vulnerability in third-party Javascript code. According to the ICO, the details of half a million customers were harvested by the attackers.

Information Commissioner Elizabeth Denham said: “when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”


The US-owned hotel group has been fined £99.2 million for an incident thought to date back to 2014, which only came to light in 2018. About 339 million guests had their personal detailed exposed – 30 million of which were based in Europe and therefore came under GDPR regulations.

The data breach occurred within a rival hotel group names Starwood, which Marriott acquired three years ago. The ICO said that the Marriott had failed to properly review Starwood’s data practices and should have done more to fully secure its systems when it acquired the company.

Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

By going in hard on two internationally recognised brands, the IOC is setting a precedent and a warning to brands: adhere to GDPR or risk more than a slap on the wrist.