It’s been over a year now since GDPR took effect on May 25th 2018 - and for a while there it looked like the ICO (Information Commissioner’s Office) was going to take a particularly passive role in proceedings as to be fair - not very much happened in those first 12 months. And while there are far too many companies arbitrarily citing ’Legitimate Interests’ over and above those basic consumer rights afforded by ’Explicit Consent’ - it really looked as if this was going to be a somewhat toothless organisation there for a while.
With regards to British Airways - where the personal data of approximately 500,000 customers was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information. In effect British Airways was using a third party solution to take payments for excess luggage and the like - but said API had not been properly maintained for years and had long since been hacked to divert customers to a fraudulent site - which captured their details in the process. The intentional fine is a considerably high one - or £183.39 million - while right now the ICO is considering representations by BA - so the fine could still be lowered or waived depending on those final adjudications. For GDPR to be valid though it is critical that it be properly policed, and those what flout the regulations must be brought to book as such.
In the case of Marriott International - its breach goes back to 2014 and relates to its purchase of the Starwood Hotels Group in 2016 - where the vulnerabilities identified in 2014 were still present, and not properly followed up until 2018 - by which time the whole group had become infected/affected, and 339 million of its guests globally had been exposed, including 30 million EU residents, and 7 million from the UK. The fine for £99,200,396 is essentially for failure to cary out due diligence and rectify and shore up vulnerabilities that had been identified at Starwood way back in 2014.
In both instances there is a lack of care and due diligence component - sort of masquerading under the banner of gross negligence. Under the terms of GDPR - the data holder is required by law to safe-guard the storage of that data and ongoingly maintain its integrity. For Both British Airways and Marriott Hotels there was obviously a failure of care here. As promised when GDPR was first announced - these fines are exceedingly steep - but they kind of need to be to ensure compliance with the legislation as there are so many vested interests at play and so much to be gained by companies by breaking or cheating that system.
It will be interesting to see how much the ICO sticks to its guns here - and how much indeed those two companies are made to pay out in the end. It has to be noted that with all law enforcement - if the punishment is not meted out, then those crimes of neglect and exploitation will continue unabated. We wait with interest to witness just how all of this pans out ...