DATA PRIVACY UPDATE: GDPR-GRADE FINES ISSUED BY UK ICO
The UK’s Information Commissioner’s Office (ICO) armed with General Data Protection Regulation (GDPR) has fined British Airways and its airline holding company International Airlines Group (IAG) £183.39 million ($230 million).
This is due to a data breach that took place last year. Through a malware that diverted user traffic to a fictitious site, hackers were able to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.
The ICO has also fined Marriott International £99.2m, because of circumstances relating to security that affected the Starwood reservation database which Marriott had acquired in 2016. This security breach affected an estimated 30 million guests in Europe, and 339 million worldwide.
The GDPR came into effect on 25 May 2018 and it was the first large-scale update to European data protection law in 20 years. It provides individuals (known as data subjects) an extended control over organisations that process their personal data because of the obligations that are imposed for increased transparency on how that data is used.
The GDPR applies to all EU organisations that collect, store or otherwise process the personal data of EU residents who are not necessarily EU citizens and organisations outside the EU that provide goods or services to EU residents, monitor their behavior, or process their personal data.
The consequence of GDPR infringement are administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. However, not all infringements result in the imposition of fines.
Supervisory authorities like the ICO (Information Commissioner’s Office) are authorized to take a range of other actions, such as: promulgate warnings and reprimands; enforce a temporary or permanent ban on data processing; require the rectification, restriction or erasure of data; and also suspending the data transfers to third countries.
Information Commissioner Elizabeth Denham said in a statement:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Svethlana Milanes, ABCommContact W3IP Law on 1300 776 614 or 0451 951 528 for more information about any of our services or get in touch at law@w3iplaw.com.au.
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.
