If you weren’t sure if the UK’s Information Commissioner’s Office (ICO), the data protection regulator, wasn’t prepared to flex its muscles, its first two fines for data breaches amounting to a combined almost £300 million should persuade you otherwise.
It’s the first time the ICO has fined companies under the General Data Protection Regulation (GDPR) after the stricter regulations came into force in May 2018. The ICO can fine organisations up to 20 million Euros or 4% of a company’s global annual turnover – whichever is greater.
First in the firing line was British Airways and its proposed £183 million fine after it compromised the data of around 500,000 customers .
The ICO then announced its intention to fine the US hotel group Marriott International £99.2 million for a data breach which exposed the records of around 383 million guests.
It underlines the ICO’s teeth and willingness to use its powers as well as how two global companies can find their data protection systems compromised.
Marriott’s data breach came after its Starwood guest reservation system was hacked and information including names, addresses, phone numbers and email addresses were stolen whilst encrypted payment card numbers and passport numbers were also exposed. Around 30 million were residents of 31 countries in the European Economic Area (EEA) including seven million from the UK.
British Airways admitted it had been a victim of a cyber attack in October last year which lasted more than two weeks before it was discovered. Magecart group, was blamed after it infected BA’s official website with malicious code to steal users’ credit card data when purchasing plane tickets.
In both cases, the ICO has been the lead investigator for other EU member states and both organisations have the right to respond to the investigation and their proposed sanctions.
In the case of BA, the fine may be eye-watering but actually represents 1.5% of its turnover last year of £11.6bn.
Don’t make the mistake of thinking the ICO will only be gunning for the big boys. In its report looking back on the first year of GDPR, the regulator documented it had received almost double the number of data protection concerns from the public, 41,000 compared to figures in 2017/18 of 21,000. Dealers need to remember it will only take one complaint to the ICO to trigger an investigation.
The number of cases self-reported by organisations also increased - 14,000 personal data breaches were reported from 25 May 2018 to 1 May 2019 compared to 3,300 in the year from 1 April 2017. Since then 12,000 have resolved with 82% requiring no action from the organisation concerned which the ICO says how data is in the main managed responsibly and seriously.
One of the areas where the ICO will focus its attention going forward is technology and cyber security. Following the publication of its ‘Technology Strategy’ last year, the ICO has increased its capability in technology including establishing its Regulators and AI forum designed to enable best practice to be shared.
Autino was awarded the prestigious ISO27001 certification, the international standard for cyber security, in June. ISO27001 focuses on a wide range of technical aspects including data protection, how information is processed, stored and how it is used including employee access and training. It provides peace-of-mind to clients that their customer data which flows through the Autino platform has the highest levels of protection in place. ISO27001 also enables Autino to best meet its obligations under GDPR.