Skip to main content

ICO issues first significant fines under GDPR

ICO issues first significant fines under GDPR

With fresh GDPR fines being issued at unprecedented levels, it’s important for organisations to ensure they aren’t  next in line.

Earlier this month, the Information Commissioner’s Office (ICO) issued two substantial fines to British Airways and Marriot Hotels, of £183 million and £99.2 million respectively.

These are the biggest fines to be issued by the ICO since the General Data Protection Regulation (GDPR) came into force. They also serve as a reminder that GDPR has real teeth and is much more than just scaremongering from lawyers and cybersecurity consultants. 

Pre-GDPR, the ICO issued seven fines totalling £1,960,000 under the Data Protection Act 1998 so the difference is significant, to put it mildly.   

Both the BA and Marriott cases involved serious security breaches. In the BA case, hackers obtained personal data, including financial data, from about 500,000 users of the BA website. The incident is believed to have occurred in June 2018. 

Marriott was also subject to a hack whereby personal data – including card details, passport numbers and birth dates of up to 500 million customers – was compromised. The hospitality company reportedly became aware of the incident in September 2018 but access to the compromised data may date as far back as 2014.

There are some important lessons to take from this.

Firstly, the ICO has clearly developed an appetite for flexing its muscle by using the extended enforcement powers granted to it under GDPR, and the scale of financial penalties has changed entirely from the pre-GDPR regime when they were capped at £500,000 – certainly in relation to security breaches involving sensitive personal information relating to consumers.

The fines may not yet represent the full extent of the financial consequence for the companies concerned, with both BA and Marriot experiencing a slight dip in share value when the fines were announced. However, neither company nor the ICO have reported on any individual claims arising from ‘data subjects’ – any person whose personal data is being collected, held or processed – following these incidents.

Secondly, the number of data subjects affected may not impact upon the value of the penalty issued, which in the cases above represented a percentage of each company’s annual turnover. Indeed, British Airways’ fine is over £83 million higher than Marriott’s despite the airline’s breach affecting a smaller number of data subjects.

These cases also illustrate that the most severe penalties under GDPR are likely to be imposed in the areas of security breaches and unlawful direct marketing. 

In another recent case, the ICO fined telecoms company EE £100,000 for engaging in direct marketing without customer consent when it sent out approximately 16 million text messages to service users including over a million who had opted out of receiving marketing communications.

EE’s argument that the messages, which encouraged users to use an account management app, were service-related rather than marketing communications, was given pretty short shrift by the ICO. An unsurprising outcome, given what they contained. 

In explaining its decision, the ICO did not offer much more than a reference in the existing Direct Marketing Guidance as to the difference between service and marketing communications, albeit in this case there was no real doubt.

It’s worth noting that the more modest fine of £100,000 may not necessarily reflect the ICO’s view on the severity of this type of breach, given that it was issued under the former Data Protection Act 1998 rather than GDPR – but it certainly remains a warning to others.

In many ways the EE case is notable for the degree to which a large, well-resourced and presumably well-advised organisation was so obviously non-compliant. In fairness to EE, the messages in question were sent in early 2018 when most organisations were in their pre-GDPR ‘housekeeping’ phase, so it is likely practices will have evolved since.

It will be interesting to see the sorts of penalties which are imposed under GDPR by the ICO if it were to consider an EE-type situation with its new powers. 

The ICO reported that it had received 13,800 data breach reports and over 40,000 data subject complaints in 2018/19, so these fines will not be the last and there are undoubtedly further investigations underway.

The best advice? Keep GDPR compliance on the radar and deal with any weaknesses in processes or communications, ensure your team are well educated on their responsibilities, minimise access to personal data, and keep proper records of  data protection activities.

Sink some time into your GDPR compliance and you’ll be in good shape to avoid the ICO sinking its newfound teeth into your organisation.

Liam McMonagle is a specialist Intellectual Property, Technology and Media Solicitor, advising clients on Data Protection and GDPR. We are always delighted to talk without obligation about whether we might meet your needs. Call Liam on 0131 225 8705 or email

About the author

Liam McMonagle
Liam McMonagle

Liam McMonagle


Corporate & Commercial, GDPR, Intellectual Property, Trade Marks

For more information, contact Liam McMonagle on 03330 166583 .