GDPR fines – will the next fines be for SMEs?
GDPR fines – will the next fines be for SMEs?
Did you see the fines issued by the Information Commissioner’s Office to BA and Marriott and think that the ICO are only targeting big business? Harriet Jones, partner at IBB Solicitors, ponders who will be next….
The UK’s Information Commissioner’s Office (ICO) hit the news this summer with the announcement of fines of £183m to British Airways and £99m to Marriott International, Inc.
The ability for the ICO to issue enormous fines is not news – the EU legislation passed in 2016 said clearly that fines can be up to €20m or 4% of worldwide turnover (whichever is the higher). The size of the first two fines by the ICO under the new legislation shows they intend to exercise those powers where they feel that the organisation has failed to adequately protect personal data.
Both fines involved a cyber security incident and a breach of the legislation in relation to personal data of consumers. This may reinforce a view held by many SMEs in the UK that GDPR is not relevant to their business because they do not sell to consumers. I have heard some SMEs saying that they have no “personal data” because they do not sell to consumers. This is a myth. Every business has personal data – anything which identifies a living person is personal data, even if that person’s contact details is for work rather than home, it is personal data.
A lot of the “new” provisions of GDPR were in the Data Protection Act 1998 and are built on common sense: you must look after personal data. All businesses that I know, large or small, have always had special measures in place for employment files because the business owner recognised that they shouldn’t leave details about their employees hanging around the office. This common-sense approach is all that is needed for other personal data you hold: only keep the personal data you need for as long as you need it; think about the security measures (cyber and physical) you have in place for that personal data; and document the arrangements you have in place whenever you send personal data outside your organisation.
There is greater awareness of data protection obligations and therefore businesses are more likely to receive requests from data subjects – either to know what personal data the business holds about them, or to request all record of them is removed from the business. Any SME that has not done its homework on GDPR will struggle to deal with that request properly and risks a complaint being lodged at the ICO for failure to respond. And the ICO has shown it isn’t afraid to act.
What have we learned from these two fines?
Self-notification and cooperation
BA and Marriott both notified their respective incidents to the ICO. Both cooperated with the ICO investigation which followed notification. Both made improvements to their security arrangements after the events came to light. Both were fined.
Bad press
It remains to be seen if the quantum of these fines will be reduced on appeal, but the implications for all businesses are clear: failure to protect personal data will result in action from the ICO and a very public announcement of a fine for such failure.
Ignorance is not bliss
The Marriott breaches date back to a business that Marriott acquired in 2016, even though the exposure of customer information was not discovered for two years. The ICO found that Marriott failed to undertake sufficient due diligence to discover the breaches AND should have done more to secure its systems.
Saying you didn’t know about a breach because it wasn’t on “your watch” and blaming previous business owners is not a defence. This is likely to have significant implications for business acquisitions in the future – many buyers have been seeking an uncapped indemnity for breaches of GDPR, but the buyer should, before completion, thoroughly review the policies in place and test the target’s processes because the indemnity may not be sufficient protection for a large fine and/or bad press associated with the ICO deeming the business to be deficient at protecting personal data.