Up until now, the consequences for GDPR non-compliance have been gossiped about but perhaps not been taken particularly seriously. That all changed after the ICO imposed staggering fines of £183 million on British Airways and £99 million on Marriott, following data breaches that compromised the personal data of thousands of customers.
The news clearly shocked the business world; this is the first time the ICO has bared its teeth since GDPR came into force last year and the EU regulators have made it very clear that failure to comply with the rules will result in genuinely significant penalties.
At a number of customer events we hosted this week, the blockbuster fines were on everyone’s minds. In particular, people were keen to discuss why the ICO fines were so high, with many agreeing it was because there was a lack of “demonstrating diligence” around the risk prior to the breaches. Indeed, the ICO said in its investigations that Marriott should have “done more to secure its systems”, while BA reportedly lacked “appropriate technical and organizational measures to prevent such an attack”.
The message from the ICO is clear – businesses have a legal duty to ensure the security of data else face fines of up to 4% of the company’s annual turnover.
While BA’s imposed fine stands at 1.5% of its annual revenue, it is still a significant blow (though it could have been much worse). We must also remember that in addition to the eye-watering fines, BA and Marriott will now also face damaging long-term effects on customer trust, company reputation and its share price.
With so much at stake, the news will have sparked discussions in boardrooms across the world, with companies urgently taking stock of the security measures they have in place and evaluating whether they are properly protecting the data they process and hold. Any ‘gaps’ will need addressing quickly, looking to cybersecurity solutions that protect networks, devices and people.
I am certain this won’t be the last time we hear about ‘record-breaking’ fines from the ICO this year. Each will serve a reminder to companies that they cannot be complacent when it comes to compliance; protecting data must be a priority.