There was a naïve hope that the ICO would approach enforcing the new GDPR as gently as it had initially approached the same under the DPA, way back in 1998; some gentle fines and reminders to comply with the law, but basically, as long as you “had a go”, tried to comply, that would be acceptable.
This week, however, the ICO flexed their GDPR muscle and announced their intention to fine BA £183 million (equal to about 1.5% of its 2017 annual global turnover) for the inadequate security of their IT systems leading to a hacking incident and a diversion of approximately 500,000 BA customer’s data. BA co-operated fully with the ICO and notified the ICO of the data breach – the fine relates therefore only to the lack of IT security leading to the hacking.
While everyone took a sharp intake of breath, and BA expressed their surprise and disappointment at the size of the fine, the ICO was busy announcing more of the same: Marriott (hotels) are to be fined £99 million for a breach of Starwood’s IT security systems (the hackers gained access to Starwood’s systems in 2014 and squatted), where hackers obtained 338 million customer’s data records.
Starwood was acquired by Marriott in 2016 and the breach discovered in 2018. The clear message is that the responsibility lies with the party holding the data to keep it secure, and that includes where they acquire a business and a pre-existing IT system: the obligation to securely hold the personal data remains and all new systems should be carefully tested to ensure their security.
In both cases, BA and Marriott, customer data included payment and payment card data and unencrypted personal data; in both cases the IT systems had not been adequately tested for security nor updated enough to maintain their security. There is however a clear obligation under the GDPR to maintain the security of personal data and have appropriate levels of security – as technology develops, so must the security systems in place to maintain security.
On another front, the ICO has also tackled the Metropolitan police over the backlog of Subject Access Requests (“SARs”) under the GDPR that remain outstanding beyond the permitted one month period for reply. The ICO have given the Met three months to respond to the backlog of SARs, and put a system in place to be able to handle the number of SARs they get. It would seem then, that the ICO intend to enforce all aspects of the GDPR equally!