It has been a little over a year since the General Data Protection Regulations came into force, imposing extensive privacy and data protection requirements and raising penalties for non-compliance to a maximum of 4% of annual worldwide turnover or €20 million, whichever is greater. It has been quiet for a while since the introduction of new law, until in the beginning of July 2019 the ICO announced the plans to impose 2 record-breaking fines in a row: £183 million on British Airways and £99 million on Marriott.
British Airways is facing a fine for the breach of its security systems that took place last year. The breach happened when user traffic of BA’s website was re-directed to a fraudulent website. Attackers stole the personal data of about 500,000 users in the incident, including names, email addresses, travel booking details, credit card information and logins.
The international hotel group Marriott, on the other hand, had an incident that compromised personal data of 339 million guests. Marriott believes that the breach commenced in the systems of the Starwood hotels group in 2014, which the international hotel chain acquired in 2016. The hotel is believed to have failed to undertake sufficient due diligence in the acquisition of Starwood.
Information Commissioner Elizabeth Denham commented as follows:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Written by Anastasia Troshkova, Solicitor