July 12, 2019

Here at The Defence Works we’re often asked by news publications to give our thoughts on current hot topics.  This week we were asked by the Financial Times to comment on the latest ‘intended’ GDPR fines, hitting British Airways and Marriott Hotels – as we reported earlier this week.

So, what’s happened this week?

Well, put simply – British Airways and global hotel chain Marriott have been told this week they could face record-breaking fines for recent data breaches – potentially £183.4m for BA (representing 1.5% of their turnover in 2017) and £99m for Marriott (about 3% of the hotel company’s $3.6bn revenue from 2018).  Not small change.

Speaking to the Financial Times, Mark Deem, senior partner at the law firm Cooley, commented:

“It’s undoubtedly a statement of intent and will make a lot of corporate UK sit up and take notice”.

Martin Tyley, head of UK cyber and privacy at the consultancy KPMG, stated:

“Under the [previous law] the maximum fine was £500,000. When you suddenly jump from that to a level in the high millions, it does feel as if these fines will have very real impact on those companies, and there will be a deterrent effect.”

Edward Whittingham, our very own Managing Director of The Defence Works, provided his comments to the Financial Times:

“Until now, we knew GDPR had teeth but we didn’t know how hard it could bite. These penalties will raise some serious concerns for other businesses going forward.”

What’s next for British Airways and Marriott?

It’s unusual for the ICO to give a warning of the intention to fine a company, but given British Airways and Marriott’s recent warnings to investors as a result of anticipated fines, the ICO felt it best to make such statements.

Both organisations have 28 days to appeal and we won’t know the final result until the final penalty notice (and full explanation) is issued in around 16 weeks time.

What’s on the horizon?

Well, what we do know is that the Information Commissioner’s Office is looking at (at least) 12 further “significant cases”.  One such case is likely to be Dixons Carphone, which only last year had reported an incident affecting 10m customer records.

You can read the full Financial Times article here.

Share this: