In the first year of GDPR enforcement, just a handful of major fines were handed down – making two big ones in the UK this week stand out
The threat of big fines made businesses take GDPR regulations seriously two years ago – but would they ever really happen? Now those big judgments are rumbling like thunder across Europe.
On Monday, Britain's government privacy agency announced it was fining British Airways $230 million in response to a breach of customer data in September of 2018. On Tuesday that agency, the Information Commissioner's Office (ICO), announced a fine of $123 million against hotel chain Marriott for a breach in November of 2018.
The similar announcements both cited the companies’ infringements of the General Data Protection Regulation. The European Union approved the privacy law in spring of 2016 and enacted it some two years later. The business world took careful note of GDPR’s threatened penalties of up to $25 million or 4% of a firm’s annual worldwide revenue.
Just a handful of major fines were handed down in the first year of the GDPR enforcement. (Although France’s $57 million fine against Google – for its handling of user information in its advertising business – in January was significant.)
Yet since May governments have handed down at least as many major fines. And the UK agency behind this week’s fines appears to be on a roll.
Germany fined a police officer $1,500 for looking up a driver’s mobile number using their license plate information and calling them for personal reasons.
The fines this spring included France’s more than $400 million judgment against a real estate company for improperly handling surveillance camera data, and Spain’s $280,000 fine of La Liga for the soccer league’s misuse of the microphone in its mobile app. In a smaller case, Germany fined a police officer $1,500 for looking up a driver’s mobile number using their license plate information and calling them for personal reasons. (The ICO says it is also keeping individuals accountable.)
This week’s fines follow data breaches – which are already extremely costly for businesses – and cite specific GDPR failures with a corresponding penalty assessed. “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information” at British Airways, the agency said. The airline is cooperating with the ICO, and will have a chance to address issues and lessen the fine.
Regarding the Marriott hotel chain, the UK watchdog agency faulted poor security linked to a company acquisition. “The ICO’s investigation found that Marriott failed to undertake sufficient due diligence,” the agency said in a statement, “and should also have done more to secure its systems.”
The Avast Blog asked Britain’s ICO if this week’s two fines should serve as a warning to companies that prepared for GDPR, then set security aside as a priority and returned to business as usual. The response suggested the UK agency is fully in accountability mode.
”The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data,” the office responded, quoting Information Commissioner Elizabeth Denham.