First Fines Issued by the ICO Under GDPR

12 Jul 2019

The last week has seen two companies fined in excess of £300m by The Information Commissioner’s Office (ICO) in relation to breaches of new data protection regulations. On Monday the ICO issued a notice of its intention to fine British Airways £183.39 million under the General Data Protection Regulation (GDPR) in relation to a cyber incident which the company notified to the ICO in September 2018. The following day, the ICO issued a notice of intention to fine Marriott International just over £99 million for infringements of GDPR. The fines are the first proposed by the ICO under GDPR, which afforded the ICO much greater power to levy fines on companies which are found to be in breach of data protection laws. In British Airways’ case, the fine represents about 1.5% of its worldwide turnover.

Why are BA and Marriott Being Fined?

The security principle of the GDPR requires ‘appropriate technical and organisational measures’ to be taken to protect the integrity and confidentiality of personal data.

The BA data breach began in 2008 and involved users of their website being diverted to a fraudulent site. AS a result, customer details were harvested by attackers. It is thought that the personal data of approximately 500,000 customers was compromised in the incident. BA did cooperate with the ICO during the investigation, and has made improvements to its security arrangements since. The company has already given notice of its intention to appeal the fine, with the Chief Executive of BA’s parent company saying “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

In Marriott’s case, the proposed fine relates to an incident notified to the ICO in November 2018. Personal data which was contained in approximately 339 million guest records globally was exposed. Seven million of these records related to UK residents. The vulnerability of the data began when the systems of the Starwood Hotels group, which Marriot later acquired, were compromised in 2014. However the exposure of the information was not discovered until 2018 and the ICO has found that Marriot failed to take sufficient due diligence when it purchased the hotel group, and that it should have done more to secure its systems.


The fines clearly show that in the new GDPR data protection regime, the risks to companies relating to the handling of personal data have increased substantially.

Under GDPR, the ICO (and other data regulators in Europe) has the power to issue fines of up to €20 million, or 4% of annual global turnover, whichever is greater. The level of the fine will be dependent on how severe the ICO considers the breach to be, and also on other factors such as the level of cooperation of the company involved.

The fines have attracted much comment in the press, with the Guardian stating that “The ICO is using its first two investigations under GDPR to make an example of British Airways and Marriott, providing a cautionary tale for others”. An analyst working in the City of London stated that the fine would make a dent in BA’s financial performance, and that it would serve “a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board”.

The Information Commissioner Elizabeth Denham has defended the steep level of both fines and commented that “The GDPR makes it clear that organisations must be accountable for the personal data they hold…Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public”.

Importance of Compliance with GDPR

Both companies have the right to appeal both the findings of the ICO and the level of the fines which have been proposed. However even if both companies succeed in their arguments that the level of the fine should be reduced, the sum will still likely be substantial, and much more than the expenditure which would have been required to prevent the incidents from happening in the first place.

On the above point, Eerke Boiten, who is a professor of cybersecurity at DeMontfort University has commented that “Actual expenditure on technical solutions and staff time to implement the right security to prevent this will not have been near a nine-figure sum like the fine…I’d be surprised if it was more than a few million.”

Clearly then, companies and all those processing data should be taking sufficient steps to ensure that they are complying with GDPR, and those that do not expose themselves to the risk of being investigated and ultimately fined by the ICO.

Osbornes can assist individuals whose personal data has been compromised and our firm has recently settled two cases against local authorities for misuse of personal information and breach of data protection law. Both cases settled with damages being paid to the claimants without court proceedings being issued. We are currently investigating another potential claim against a local authority for breach of data protection law.

If you or a family member have experienced the misuse of your personal data, please contact Stephanie Prior on 020 7681 8671 or Nicholas Leahy on 020 7485 8811.

Share this article