31 July 2019

Proposed data breach fines give first indication of GDPR enforcement approach

The confirmation by the ICO that it intends to issue fines in relation to two high profile data breaches within the travel sector has attracted many headlines. The proposed fines of £183 million for British Airways and £99.2 million for Marriott would be the biggest fines ever issued by the ICO by some way (its previous maximum fine was £500,000 under the old law). The ICO has confirmed that there is also an ongoing investigation into a cyber breach at Cathay Pacific and this may lead to a fine.

In these cases, due to the size of the potential fines, the companies involved were required to make announcements to investors – this has not historically happened for the lower fines under the old law.

Whilst it is worth remarking on these headline figures, it is important to take a step back and put the proposed fines into context. The first factor to take into account is that these fines are not yet finalised. The process being followed by the ICO, where it issues a notice of intent to fine and then takes representations from the organisation, is usually carried out behind closed doors, with the fine only being announced at the end of that process.

This means that there is as yet no information available to the public setting out the reasoning for the level of the fine. Commentators have made their best guesses at the factors which have or could have been taken into account, but it remains to be seen how much weight the ICO places on each factor. There is also the possibility that the final fines will be lower than is proposed, if the companies are able to put a compelling case forward (although it should be noted that they will have been able to provide evidence during the investigation to date, so some of this may already have been taken into account).

Even if these fines stand, it is also clear that these incidents represented a very small proportion of the personal data breaches reported to the ICO over the first year since GDPR came into effect. The ICO states in its most recent Annual Report that it received 13,840 notifications of breach, and that it closed its files on 12,385 of these.

The Annual Report goes further and sets out the outcome for closed files. For the vast majority (82%) no further action was required by the ICO. This is likely to be because the breach was relatively minor, or because the organisation involved had proactively taken steps to learn from its mistakes and put remedial actions, such as additional security or internal processes in place. In 17% of cases further action was required from the data controller – these would typically be additional remedial actions which had not been identified by the data controller. Therefore, in the vast majority of cases, taking steps to reduce the risk of further breaches is seen as a higher priority than issuing fines.

Only 0.05% of cases led to the ICO pursuing fines. Given the number of breach reports received, this equates to around 6 or 7 potential fines - roughly in line with what has happened in previous years. The ICO’s threshold for when a fine may be appropriate is also likely to be fairly similar. The only change from previous years is that the maximum amount of the fine has increased. Even so, the proposed fines do not reach the maximum level permitted under GDPR of 4% of global turnover, leaving the ICO scope for even bigger fines in the future, particularly where breaches are suffered by companies with a large turnover.

Finally, the travel sector will be understandably concerned about the number of fines in the sector. The industry is an attractive target for hackers due to the volume and nature of the data held, and it is this, and the breaches which have resulted, which have led to the fines rather than the ICO actively targeting the sector. That said, the fines should come as a wake-up call that information security and GDPR compliance should be regularly reviewed in order to minimise the risk of attack as far as possible.