Data Breach Fines Begin to Bite Under GDPR

One year after the requirements of the General Data Protection Regulations (GDPR) came into force the UK regulator, has issued two multi-million pound fines.

GDPR updated the 20-year-old Data Protection Act for today’s data environment and increased the maximum fines from £500,000 to up-to 4% of an organisation’s turnover.  

In July 2019 British Airways was fined £183m by the ICO, while it also intends a further £99m fine for hotel chain Marriott. 

These are the biggest penalties to be handed out and the first to be made public since the General Data Protection Regulation (GDPR) has set in place.


About the British Airways Data Breach

Believed to have begun in June 2018, personal details of 500,000 British Airways customers were stolen by vicious attackers, when the customers were sent to a fraudulent website. The incident was announced on 6th September 2018.

Around 380,000 transactions were affected. Stolen information included names, addresses, travel booking details, login details and payment card details of British Airways customers.

ICO have claimed that the breach happened due to British Airways having “poor security arrangements” in place to protect their customers personal information.

Read More


About the Marriott Data Breach

The personal data of 339 million guests of Starwood, a hotel business acquired by Marriott three-years ago were exposed; 30 million of which belonged to citizens in the EEA, 7 million to the UK.

The cyber attack is though to data back to 2014, although it was only discovered in 2018.

The ICO said that Marriott had failed to undertake adequate due diligence of Starwood’s Information Security practices when it acquired the business, although the company responded saying ““We are disappointed with this notice of intent from the ICO, which we will contest”.

Read More.



GDPR, which came into place on 28th May 2018, makes it mandatory to report data security breaches to the Information Commissioner within 72 hours of discovery where there is a significant risk to the rights and freedoms of the individual.

Victims must also be notified.

The legislation also increased the potential fines that can be issued to organisations following a breach, while placing additional data protection requirements around children’s data.

However many of the requirements were already in place under the 1998 Data Protection Act and organisations should ensure they have appropriate technical controls and organisational procedures in place.


ISO 27001 & GDPR

Having ISO 27001 doesn’t make you GDPR compliant, however the Information Security Management standard can be great support.

The internationally recognised Standard for Information Security Management takes a business risk approach to all information assets of your organisation and creates a framework for managing threats to those assets. 

Our ISO 27001 Consultants can help your organisation can help you build a management system incorporating GDPR requirements. Find out more about ISO 27001 and GDPR here, or contact our friendly office team who’ll be more than happy to help!


Kaidee Clark
Kaidee Clark
Articles: 33