Big GDPR Fines For BA And Marriot: Will SMEs Be Next?

Data watchdog issues massive penalties for breaches.

Remember last year when GDPR was big news, and businesses were fretting about the potentially massive fines the ICO might be dishing out? Fun times. But the 25th May deadline came and went, and the world didn’t end. The ICO made it clear that fines would be the last resort, and everyone calmed down just enough to stop worrying about data protection all the time.

And then, this week, the Information Commissioner’s Office announced its intention to fine British Airways £183 million. A few days later, Marriot was said to be facing a fine of over £99 million.

So what’s going on? Is now the time for legitimate panic?

Put down the stress ball, wipe the sweat from your brow and start rubbing that slow-growing ache in your temples. Although the ICO is clearly making a statement of intent with these fines, it’s important to view them in context and to consider the merits of each case.

In BA’s case, its poor cyber security enabled hackers to steal the personal data of 380,000 customers – people who booked flights through its website over a two-week period. This happened in September 2018, months after the deadline for GDPR compliance had passed.

Marriot, meanwhile, took two years to disclose a data breach that affected 339 million guests. The breach actually took place on the network of Starwood Hotels, which Marriot acquired in 2016, but it wasn’t until November 2018 that the hack was revealed. Worse still, it had been going on since at least 2014.

The sheer size of these corporations is impossible to ignore. Their turnover is measured in the billions, so it makes sense that fines against them would be large too; the whole point is to make the fines significant enough to encourage a change of behaviour.

But size of business doesn’t only affect ability to pay fines. Bigger companies have more resources to dedicate to cyber security, including technology and training, so they are reasonably expected to lead the way on data protection. In other words, they’re big enough to know better.

The scale of the attacks is important too, and once again it’s linked to the size of BA and Marriot. They handle the personal data of hundreds of millions of people – a responsibility that cannot be taken lightly – and they have a duty to invest in appropriate security measures.

So what does all of this mean for SMEs?

Above all else, it shows the ICO’s approach to GDPR is proportionate – not just in terms of fines but also in how it views each business’s obligations and ability to protect data. A small business with 100 customers, for example, isn’t going to have the same level of cyber security as a multi-national corporation with 100,000, and the ICO is well aware of that.

Nevertheless, the principles are the same: all organisations have a duty to protect any personal data they process. That means investing in cyber security and following best practice at all times. Repeated or systematic failure to do so could realistically lead to a fine, and although it won’t be as big as the ones levied on BA and Marriot, it will probably be large enough to hurt.