In the last couple of days, the Information Commissioner’s Office has issued two notices of intent to impose the first ‘mega fines’ under the GDPR regime for data breaches by British Airways (for £183.39 milion) and Marriott International (for £99.2 million). Both companies now have the chance to respond to the notices of intent, after which a final decision will be made by the ICO. Even if the final fines do remain at the current intended levels, it seems likely that the companies will appeal, a process which would take some considerable time and potentially end up in the Court of Appeal. The ICO has not yet published full details of the specific infringements or the detail of how the fines have been calculated.
Whatever the outcome of the enforcement, it is clear that these notices mark a turning point in GDPR enforcement – and will certainly serve to focus the minds of companies with respect to data security and GDPR compliance. It may also force some organisations to carefully reconsider their current approach to GDPR risk.
The Marriott notice may also have significant implications for corporate M&A. The notice concerns a compromise of the systems of the Starwood hotel group prior to its acquisition by Marriott, with the breach itself discovered following completion of the corporate acquisition. The fine shines a spotlight on the importance of data and cyber due diligence in corporate transactions. For further details, see the posts on the BA notice and the Marriott notice on the HSF Data Notes blog.