The ICO has drastically scaled back its proposed fines for British Airways (BA) and the Marriott hotel chain for data breaches, from £189.39m to £20m and £99.2m to £18.4m respectively.
As we reported in August 2019 here, under the GDPR, organisations can be fined up to €20m or 4% of their global turnover for the previous year, whichever is higher. The proposed fines represented 1.5% of BA’s turnover and around 3.5% of Marriott’s, but now stand at 0.2% and 0.6% respectively.
In calculating the amounts, the ICO must abide by Article 83 GDPR, as supplemented by its Regulatory Action Policy (RAP). The RAP contains five steps looking at the following:
- Removing financial gain that the perpetrator may have gained from the breach (initial element)
- Adding in an element to censure the breach based on its scale and severity, taking into account various considerations identified the Data Protection Act 2018 (DPA)
- Considering an element to reflect any aggravating factors
- An amount for a deterrent effect to others
- Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship)
In addition, the ICO’s Covid-19 policy accounts for the particular financial hardship suffered by businesses during the ongoing pandemic. This includes the ICO considering inter alia, the economic impact and affordability of fines and states that “in current circumstances, this is likely to continue to mean the level of fines will be reduced”.
The BA and Marriott fines served as clear “test cases”, with the ICO refining its enforcement powers in the wake of substantive representations from BA and Marriott as to the correct calculation of the fines. Businesses can take away the following as regards personal data breaches:
- Data security is key – the ICO’s enforcement powers continue to represent a significant financial risk for businesses with inadequate data security measures
- Cooperation with the ICO – early notification and cooperation with the ICO following the breach are both important
- Swift remedial action – promptly notifying affected customers and fixing the cause of the breach are potential mitigating factors
- Challenge – each of BA and Marriott mounted strong challenges to the ICO in relation to the fines