GDPR Fines – Should I be worried?


Speed Read Summary


Mitigate the risks to you and your business by taking these three key steps:


  1. Have clear data protection policies and procedures in place and circulated;
  2. Test your reporting policy in practice, and keep it updated; and
  3. Understand your systems and where data goes.




 The Information Commissioner’s Office (ICO) has recently announced its intentions to issue its first substantial fines under the new GDPR provisions – an eye watering £183 million to British Airways, and nearly £100 million to Marriott International Inc. Both have the opportunity to present their case to the ICO before the fine becomes final.

Our clients have been asking us whether they should be worried – we take a closer look at the facts and give you our top tips on managing your customers’ personal data below:

What happened?

British Airways: Following a cyber incident beginning in June 2018, the personal data for approximately 500,000 BA customers was compromised after they were diverted to a bogus BA site. Following investigation by the ICO, they found that there were poor security arrangements at multiple points in the BA online booking process, including log in, payment card and travel booking data collection.

Marriott International Inc: This involved another cyber incident – Marriott International acquired Starwood hotels group in 2014, and a vulnerability in the Starwood system lead to the personal data of approximately 339 million guests being compromised. This vulnerability wasn’t discovered by Marriott until 2018, and the ICO investigation found failings in Marriott’s due diligence during the buying process, and failures in ensuring the systems were secured.


What can we do better?

On reviewing the ICO’s findings, our view is that the issues weren’t the cyber incidents themselves – personal data is valuable and unscrupulous people will be tempted to steal it – but rather the failures of the systems in place to protect personal data. The ICO considered that neither BA or Marriott had done enough to understand what protective systems were in place, or done enough to ensure that they were able to adequately defend their customer’s personal data.

A key difference between the old Data Protection Act approach and the new system under the GDPR is that just having systems in place isn’t enough – you need to demonstrate that they comply with the requirements of the GDPR, and that ongoing compliance is embedded in your business planning and systems.

You may not be able to help cyber incidents, but you can minimise the risk of compromising your teams’ and your customers’ personal data by asking yourself the following key questions:

Do you have policies and procedures in place for reporting incidents?

By having policies in place, you can ensure that your staff know when and how to report security incidents. Early reporting means early investigation, and a better chance of resolving the issue.

Are your policies reviewed and updated?

Have a policy in place? Great! However, as we discussed, just having a policy in place isn’t enough – make sure that you regularly review it, test any procedures, and remember to update it with any improvements you’ve found.

Do you know where your data goes?

If personal data travels across different systems you use, these points of transfer could make it vulnerable to interception. By mapping the data’s journey through your systems and understanding how your systems ‘talk’ to each other, you can identify potential vulnerability and focus on protecting it – you may even find ways to reduce your processes and data transfers.


How can we  help you and your  business? 

Are you uncertain on your GDPR obligations, or feel you just need some fine tuning? Our data protection specialists can help you.  We deal with all aspects of Data Protection – whether you have a quick query or need a full compliance audit. Call our commercial team on 0161 926 9969 or email