GDPR begins to bite

Written by Anastasia Troshkova | July 11, 2019

Data Protection

It has been a little over a year since the General Data Protection Regulations came into force, imposing extensive privacy and data protection requirements and raising penalties for non-compliance to a maximum of 4% of annual worldwide turnover or €20 million, whichever is greater. It has been quiet for a while since the introduction of new law, until in the beginning of July 2019 the ICO announced the plans to impose 2 record-breaking fines in a row: £183 million on British Airways and £99 million on Marriott.

British Airways is facing a fine for the breach of its security systems that took place last year. The breach happened when user traffic of BA’s website was re-directed to a fraudulent website. Attackers stole the personal data of about 500,000 users in the incident, including names, email addresses, travel booking details, credit card information and logins.

The international hotel group Marriott, on the other hand, had an incident that compromised personal data of 339 million guests. Marriott believes that the breach commenced in the systems of the Starwood hotels group in 2014, which the international hotel chain acquired in 2016. The hotel is believed to have failed to undertake sufficient due diligence in the acquisition of Starwood.

Information Commissioner Elizabeth Denham commented as follows:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The above cases indicate that the ICO is starting to take GDPR compliance extremely seriously and all businesses, regardless of size or industry, are expected to be GDPR compliant. Briffa are experts in all aspects of data protection law and practice. If you need to have your privacy policy or cookie policy reviewed or redrafted, or if you require any other advice or assistance concerning your GDPR compliance, please do not hesitate to get in touch on 020 7288 6003 or and we will be pleased to offer you a free consultation.

Written by Anastasia Troshkova, Solicitor


Related articles

Back to blog

Book a free consultation with one of our specialist solicitors.

We’ll start with a no obligation chat where we’ll get to know you and understand your current challenges.

Book your free consultation now

Looking for more information?

Explore our services Key industry sectors Briffa content hub