Carrots off the menu for BA and Marriott as the ICO waves its stick

Whilst 25 May 2018 was a historic date in the data protection world, 8 July 2019 was the day that the ICO showed the world that it is a regulator with real teeth. Over two consecutive days, the ICO issued notices of intention to impose huge fines on British Airways (BA) and Marriott International for data breaches relating to cyber incidents. The news stunned organisations of all sizes in the UK and beyond and is a stark reminder that data protection and cyber security should remain a priority for all organisations.

The Fines

In the run up to the GDPR coming into effect, there was much publicity about the potential fines that can be imposed by supervisory authorities under the GDPR. Whilst previous data protection legislation gave the ICO the power to issue fines of up to £500,000, the GDPR allows for fines of up to 4% of worldwide turnover or 20 million Euros (whichever the higher).

Last year the ICO was keen to dispel any talk of it coming down with a stick on organisations that were not fully compliant. In its “Sorting the fact from the fiction” blogs the ICO said it preferred the “carrot to the stick approach” and that “issuing fines has always been and will continue to be a last resort”. With the announcements regarding BA and Marriott, carrots are definitely off the menu and the ICO is very clearly waving its stick. This is an indication of the severity of the incidents bearing in mind Elizabeth Denham’s (Information Commissioner) statement that “Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law".

On 8 July 2019, the ICO issued a notice of intention to fine British Airways £183.39m for breaches of the General Data Protection Regulation (GDPR). The fine relates to a cyber incident which started in June 2018 and compromised personal data of approximately 500,000 customers. BA notified the ICO of the incident in September 2018.

On 9 July 2019, the ICO issued a notice of intention to fine Marriott International more than £99m for breaches of the GDPR. The fine relates to a cyber incident which affected Starwood Hotels between 2014 and 2018. Starwood Hotels was acquired by Marriott in 2016 but the cyber incident was not detected by Marriott until November 2018. The incident led to the exposure of personal data in approximately 339 million guest records, seven million of which related to UK residents and millions more related to residents of other EEA countries.

At this stage, we do not know the finer details of the incidents and the investigations carried out by the ICO. Both BA and Marriott have stated that they will make representations to the ICO and contest the intended fines which will be considered before the ICO makes its final decision. Having gone public with the intention to issue such huge fines, it remains to be seen whether the ICO will reduce them. If they do not reduce them, it looks likely that both BA and Marriott will appeal.

The Takeaways

So whilst we wait to find out the level of fines to be imposed on BA and Marriott, what lessons can we take away from these two incidents?

Due Diligence for Corporate Acquisitions 

The proposed fine for Marriott relates to a cyber incident affecting Starwood Hotels before it was acquired by Marriott in 2016. The notice of intention issued by the ICO states that Marriott failed to carry out sufficient due diligence when it acquired Starwood and that Marriott should have done more to secure its systems. The Information Commissioner Elizabeth Denham highlighted that when acquiring a company, proper due diligence of that company and ensuring the security of personal data held by that company, is part of the accountability principle in the GDPR. This incident is an important one for those involved in corporate acquisitions. Buyers must ensure that not only does a target company have the necessary policies and processes in place, but that it actually complies with these. Thorough due diligence of security systems is required, as well as suitable protections in the acquisition documents.

GDPR is more than a paper exercise 

Just over a year ago, organisations were frantically sending out data processing agreements and updating privacy policies and marketing consents. For many, GDPR compliance was simply a paper exercise. Compliance with the GDPR is however, about so much more than having the right documents. Implementation is key. It is not sufficient to have a privacy policy that does not actually reflect an organisation’s practices and processing activities. Recently, we have seen a fine issued by the Danish Supervisory Authority against a taxi company that did not comply with its own retention policy. The existence of a policy that is not followed, is not going to assist an organisation when it has to answer questions raised by the ICO. As well as updating documentation, organisations should rigorously review their security systems and internal practices as part of their GDPR compliance programme. They should also ensure that their staff are adequately trained in terms of security and data protection and that training is refreshed on at least an annual basis.

Cyber Security and Resilience

The latest incidents highlight the importance of cyber security and resilience which must be a priority for all organisations, particularly those handling large quantities of personal data. The GDPR requires all organisations to take appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk. The GDPR is not prescriptive regarding the measures that need to be put into place. Organisations are therefore left to decide for themselves what is “appropriate”. This is certainly not easy, particularly when it comes to cyber crime which is becoming ever more sophisticated as cyber criminals continually look for new ways in which to attack.

Security can be particularly challenging for small organisations which, despite their size, could hold a vast quantity of  personal data. The requirements for security are the same irrespective of the size of the organisation. Size is not a mitigating factor when it comes to determining the level of fine for breaches of the GDPR. All organisations must be able to demonstrate that they have appropriate measures in place. The training of staff and regular auditing and testing of cyber response plans are crucial. All this should be documented so that it can be passed to the ICO in the event of an incident.

A few days after the ICO announced its notices of intent to fine BA and the Marriott, OneTrust, a privacy management software provider, announced a $200 million Series A investment. The IAPP has reported that its 2017 Privacy Tech Vendor Report listed just 51 privacy technology companies which increased to 192 in the          2018  version. This number is expected to rise when the 2019 report is released in a few weeks. With all companies at risk (not just the big US corporate giants), there is likely to be an increase in demand for privacy enhancing technology. For venture capitalists looking to invest in this area, the challenge will be looking for the right companies to invest in given the explosion in numbers.

GDPR is not a one time project 

Whilst 2018 was a significant year for data protection, that is not and should not be the end of a company’s compliance programme. The principles of privacy by design and by default are enshrined in the GDPR. These principles require data protection to be embedded into an organisation’s systems, policies and procedures and not tacked on as an afterthought. The technological advancements that we deal with on a daily basis, for example the growth of AI and the internet of things, will always present challenges from a data protection perspective. How can organisations take advantage of the benefits of new technology and disruptors without having an adverse effect on individual’s rights and freedoms? It is a balancing exercise and something that needs to be considered at the start of any project and kept under constant review.


For any organisation entering into a contract involving the processing of personal data, it will be important to consider the liability position. The threat of fines of up to 4% of worldwide turnover or 20 million Euros (whichever the higher) has led to an increase in requests for uncapped liability in respect of data protection breaches. The news of the proposed fines for BA and Marriott will make negotiating any financial cap on data protection liability even more difficult. We can also expect to see an increase in the demand for mutual indemnities for data protection losses.


Organisations should review their insurance policies. Insurance for data breaches and cyber incidents is available but the policies should be reviewed carefully to understand the extent of the cover. Whilst cover is available for costs and liabilities arising from a data breach, the insurability of GDPR fines in the UK is unclear. The small print of any available policy will likely qualify the cover by stating that it is subject to the insured interest being legally insurable. As any breach of the GDPR would amount to an unlawful act, it is arguable that the principle of “ex turpi causa” would apply which provides that you cannot benefit from your own unlawful act. A common sense approach would also suggest that a policyholder cannot rely on an insurance pay out to cover a punitive fine because the deterrent nature of the fine would then be removed. Therefore, whilst insurance may provide some comfort, it will not remove all risks and organisations should be aware of the danger of policies not paying out.  Further, any insurance policy will not cover the costs to an organisation’s reputation in the event of a breach of the GDPR.

It was only a matter of time before we saw news of the first fines under the GDPR from the ICO. Nevertheless, the news of the intended fines for BA and Marriott will have surprised most, not only because of the level of the fines but also because of the names of the companies in the firing line. The news marks a clear end to any initial ‘grace period’ that the ICO may have been allowing organisations to get their house in order, and announcements of more fines will undoubtedly follow. The existence of policies, contractual provisions and procedures is important but implementation of the same and regular testing, auditing and training is crucial. Whilst the ICO will continue to educate organisations, the message is clear – organisations are entrusted with people’s personal data and have a duty to maintain the security of this personal data. Ultimately, if an organisation gets this wrong the ICO will come after it with a big stick.

 For any more information please contact Suzie Miles from our Commercial Team. 

Send us a message