GDPR Fines

How big is the ICO’s appetite for issuing big fines under GDPR?

Extremely, if the fines announced this week are a reliable barometer!

The ICO has announced decisions to fine British Airways £183.39m and Marriott £99.2m as a result of data breaches.

British Airways notified the ICO of a cyber incident in September 2018. This incident involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were accessed by the fraudsters. In total roughly half a million customers’ details were compromised in this incident, which is believed to have begun in June 2018.

The investigation found that poor security arrangements contributed to log in details, card details, travel booking details as well as other personal information being compromised.

British Airways Chairman and Chief Executive Alex Cruz has said that the airline are “surprised and disappointed” by the Regulator’s decision, and reiterated that they found no evidence of fraudulent activity on accounts linked to the breach.

Marriott admitted that personal data of 339 million guests had been accessed by hackers.

Both Companies have 28 days to appeal the fine.


The fine represents 1.5% of BA’s worldwide turnover in 2017, and around 3% of Marriott’s global revenue during 2018. The maximum penalty the ICO can enforce is 4% or global turnover under GDPR which would have meant a fine approaching £500m. Under the old Data Protection regime the maximum penalty was £500,000.

The nature of GDPR is that regardless of whether the ICO and BA or Marriott negotiate a lesser fine, the impact will still be significant and act as a deterrent. The determining factor is not the volume of compromised data, but rather the nature of the data, the risk caused by any breach and the immediate steps taken to mitigate any damage.

Whilst the fines are headline grabbing and concern large multi-nationals, they nevertheless show that the ICO is not afraid to dish out large fines for data breaches under GDPR and all businesses that process personal data should take note. Whilst the number of fines issued by the ICO will likely remain small, the fines for serious data breaches look like they will be significant.

If you have any queries in relation to GDPR, Data Protection legislation generally, or any other HR queries please do not hesitate to contact the employment team on 01228 552600 or 01524548494.

Email Alerts

Baines Wilson LLP send our clients and contacts legal updates by way of short email alerts. If you would like to receive our regular alerts, please follow the link below.

Sign up for Alerts

Awards & Accreditations

  • Lexcel
  • Chambers UK
  • Chambers UK
  • Supply Chain
  • Cyber Essentials