Simon Clayton, chief ideas officer, RefTech, explores the significance of the recent fines slapped on British Airways and Marriott.
In the last few days, the Information Commissioner’s Office (ICO) has announced its intention to fine British Airways £183m and Marriott nearly £100m for data breaches reported since GDPR came into effect in May 2018.
The fact that the ICO have started talking about these two large fines so closely together leads me to wonder if the ICO may be making an example of these two businesses and using these incidents to set a precedence and to shock companies into realising that data security is a serious matter. Although the BA fine was pretty huge, it only actually equates to around 1.5% of their turnover for 2017 and the ICO could have gone up to 4% of global turnover if they deemed it necessary.
It’s also worth remembering that the ICO has always preferred the carrot to the stick; they will only dish out huge fines if a company was negligent. BA was negligent, whilst Marriott was warned about the database they took on when they acquired the Starwood hotel chain, and the breach occurred for a four-year period.
The ICO aren’t the bad guys, if a company has truly done everything in their power to prevent a hack then it is likely that they will be accommodating. This ruling has demonstrated that if an organisation is careless with personal data the ICO will come down like a ton of bricks with a fine that is reflective of the error, because it’s the only way to hit them where it hurts; their profits.
The world has changed and GDPR has been introduced to ensure organisations step up to that change. It is predicted that half of retail sales in the UK will be conducted over the internet by 2028; that’s a huge number of transactions and a huge amount of trust that consumers are placing in companies who process their data. GDPR has quite rightly given the ICO the power to force companies to do better. This is not an area that could be self regulated, GDPR was a necessary introduction and I’m glad that the ICO is now exerting its power.
These multi million pound fines could be just the tip of the iceberg for BA and Marriott. The impact these fines could have on their share prices could end up increasing the figures ten fold. GDPR also states that data subjects can sue a company for ‘material and non material damage’ if their personal data is lost. So we may see class action lawsuits created by lawyers representing the swathes of people affected by these breaches. Will data breaches become the new PPI?
I hope that these fines will be the wake up call that the ICO intends them to be; to make board rooms all over the country sit up and realise that data protection is a serious matter, to ensure that they repeatedly ask their IT teams “can we do anything else to protect the personal data we hold” and then put sufficient talent and budgets in place to ensure changes are implemented.
So go now and ask your IT team if they are doing everything possible to prevent a data breach, and if they aren’t, then listen to them and implement their recommendations. Losing four percent of your company’s turnover can make a big dent in your profits and an even bigger dent in your reputation.
If you still don’t understand GDPR, there are a lot of useful guides on the ICO website, and even a guide specifically written for the events industry on our website. Or come and find me at one of the industry shows – I’m always happy to help a small business who is taking data security seriously and just wants to get it right.