The GDPR enhances existing data subject rights and also includes a new data subject right of erasure of personal information.
Last year saw the largest fine in recent years for breach of data protection legislation. The Information Commissioner’s Office (ICO) imposed a £500,000 fine against Facebook for its role in the Cambridge Analytica scandal. This fine was dealt with under the Data Protection Act 1998, which had a maximum penalty of £500,000. Since the introduction of the GDPR in May 2018, the maximum penalty has risen to a higher cap of 4% of the business’s annual turnover.
British Airways and Marriott International
Last week on the 8th and 9th July 2019, the ICO issued notices of intent to impose the biggest fines to date under the GDPR for data breaches by British Airways (for £183.39 million) and Marriott International (for £99.2 million). The conduct for which British Airways and Marriott are being fined is for their failure to implement appropriate security arrangements for the personal data they hold.
These ICO notices mark a milestone in GDPR enforcement and shine a light on the importance of data protection compliance generally and, in particular, ensuring that adequate data security is in place.
Corporate mergers and acquisitions
The notice served on Marriott may also have significant implications for corporate mergers and acquisitions. This notice concerned a compromise of the systems of the Starwood hotel group in 2014, prior to its acquisition by Marriott in 2016. The breach itself was only discovered by Marriott in 2018 following completion of the corporate acquisition. The personal data contained in approximately 339 million guest records globally was exposed by this incident. According to the ICO:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Cyber due diligence
This Marriott notice highlights the importance of data and cyber due diligence in corporate transactions. Due diligence must include a thorough review of the target’s IT systems and any evidence of past cyber incidents which may have resulted in personal data being compromised.
The ICO is clearly prepared to severely reprimand breaches of the GDPR which have an extensive impact on data subjects. Under the GDPR companies are expected to implement satisfactory security controls to prevent the types of incidents which affected British Airways and Marriott.
Data and privacy policies
Businesses should therefore not only adopt and implement appropriate data and privacy policies but ensure they are continually reviewed so that they remain effective in supporting compliance and protecting personal data against current known threats and vulnerabilities.
For further advice on this issue please contact our Corporate & Business Team.