Key lessons from the record BA and Marriott GDPR fines

After a year of apparent inaction, the ICO (Information Commissioner’s Office) has struck twice in two days with the two largest privacy-related fines in the EU.

I think organisations can draw two key lessons from these actions:

1. You can’t dodge the need for effective cyber security measures

The ICO has been very clear that organisations that process personal data must take appropriate steps to identify and manage risks to that information.

All organisations suffer data breaches; those that have effective cyber security measures in place are at least able to limit the impact of a breach. Those that don’t are seriously exposed (remember, the BA breach lasted for five weeks and exposed 500,000 records) and face the prospect of regulatory action, fines and still having to make the investment in proper security measures.

So, the first lesson is that cutting costs where cyber security is concerned is a seriously false economy.

2. Parent companies must be accountable for the security of subsidiaries

The Marriott fine relates to a data breach in an acquired company; the ICO’s view is that Marriott should have done adequate due diligence prior to completion and should have identified and dealt with an existing, long-running data breach.

The ICO said that accountability “can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

The Marriott compromise started in 2014 but was only identified in 2018. So, the second lesson is two-fold: management must take its GDPR accountability seriously, and parent companies can be held to account for GDPR failures in subsidiaries.