British Airways plain

Since GDPR came into force, there have been:

  • 160,000 breach notifications made to authorities
    • 247 notifications per day in 2018
    • 178 notifications per day just in the first half of 2019
  • A total of £100m in fines

Here are some of the recent fines that regulating authorities have issued and guidance on how to make sure your business stays on the right side of GDPR.

Four GDPR fines we can learn from

British Airways – £183m (under appeal)

What happened?

The airline was victim to a cyber attack where the personal data of 500,000 customers was stolen by hackers through a fake website. The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

Why are they being fined?

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

What can we learn?

The first lesson is the importance of having the right procedures and systems in place to mitigate the damage of a breach. Because the breach was noticed quite swiftly and BA had the appropriate cyber security procedures in place, they were able to limit the scope of the breach, including how much personal data was compromised and the number of people affected. Lastly, the bigger the company that suffers a breach, the bigger the story, meaning the bigger the resulting reputational damage.

Learn more: What should be in a data protection policy?

Marriott Hotel Group – £100m (under appeal)

What happened?

The hotel chain suffered a data breach exposing the personal details of 339 million guests including 30 million EU citizens and 7 million UK citizens. Personal data including credit card details, passport numbers and dates of birth had been stolen in a colossal global hack of guest records. In total, it is believed the hackers stole:

  • 383 million guest records
  • 18.5 million encrypted passport numbers
  • 5.25 million unencrypted passport numbers
  • 9.1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

Why are they being fined?

Information Commissioner Elizabeth Denham: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

What can we learn?

The main lesson from this breach is the importance of conducting the appropriate due diligence during mergers and acquisitions.

Doorstep Dispensaree – £275,000

What happened?

In December 2019, the ICO issued a £275,000 penalty towards London-based pharmacy Doorstep Dispensaree. They had around half a million printed documents with sensitive personal data stacked in unlocked containers in the back of their office.

Why were they fined?

They were fined not just for exposing personal data to potential access by 3rd parties, but for unlawfully destroying the personal data because some of the documents had been severely damaged by exposure to the elements. There wasn’t efficient data governance in place and as a result, there was no way of knowing whether the lost information contained in those documents, apparently for disposal, contained sensitive information about the Data Subjects.

The ICO said the careless way that Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss.

What is special category data?

Under GDPR, special category data is the personal information of data subjects that is especially sensitive. Exposing such data could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination. In this case, the special category data that may have been exposed or destroyed unlawfully could include:

  • Race and ethnic origin
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or sexual orientation

What can we learn?

This fine is unique insofar as the pharmacy was fined not just for their lax methods of storing data, but for the way the way they disposed of the data. When destroying or deleting personal, it is important to know who’s data, as well as what data, is being deleted.

German Telecommunications company fined €9.5m

What happened?

The German regular discovered that callers to telecoms company 1&1 Telecom’s call center could obtain customer information by simply providing their name and date of birth. This meant that its customers’ personal information was not properly safeguarded. In its announcement of the fine, BfDI explained that the company had violated Article 32 of GDPR, that they must unambiguously identify the person with whom they interact as the Data Subject.

Why were they fined?

Federal Commissioner Ulrich Kelber said that “…persons calling the company’s customer service hotline could obtain extensive information about further personal data merely by providing a customer’s name and date of birth.” If a controller surrenders personal data to an individual without having a registry that it has identified that individual as being the data subject to whom the personal data pertains to, this would be considered a data breach. The German authorities are now investigating whether other telecoms companies had the same procedures.

What can we learn?

A key lesson here is the importance of being able to show a willingness to comply with authorities. Because they had been “transparent and very co-operative”, the company received a lower fine. Further, enrolling staff in GDPR training will help them understand the procedures necessary to lawfully obtain and share personal data.