Cybersecurity and data protection are intrinsically linked and having robust cybersecurity measures in place will certainly assist a business in ensuring that they are adhering to (and possibly exceeding) their GDPR obligations and thereby, avoiding the imposition of fines. It’s Cybersecurity Awareness Month so a good time to consider whether your data protection processes and systems are (cyber)secure!
While most fines that have been issued by data protection authorities are not making the headlines there have been some eye-catching (and eye-watering) fines proposed. The ICO’s proposed fines of British Airways in the amount of £183.39 million and Marriott International in the amount of £99 million stand out here. Interestingly, these fines came to public attention through the companies themselves in that British Airways notified the London Stock Exchange and Marriott made a filing with the US Securities and Exchange Commission of the ICO’s intention to fine them. Therefore, publicly listed companies will have to consider whether any GDPR fines (or proposed fines) are such that they need to be disclosed.
Even more interesting, in the context of this blog, is the fact that both fines arose from external cyber criminality. With regard to British Airways, hackers stole customer personal data (including names, addresses, travel information, login and payment card details). The ICO in its statement noted that the personal data had been compromised by “poor security arrangements” and that BA had “failed to protect” the data (here).
The Marriott data breach was more complex in that it involved a vulnerability in the systems of a hotel group which Marriott International acquired in 2016. Only in 2018 was it discovered that customer personal data had be stolen from this system in 2014. The ICO said that Marriot had “failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems” (here). Obviously, there are questions here about the legal basis of Marriott’s liability for a data breach brought about by criminality before it owned/controlled the systems in question but the ICO statement underlines the importance of cybersecurity measures in protecting personal data.
Both organisations have indicated that they are going to appeal the proposed fines of the ICO but for now, based on what is publicly known, we can say that having appropriately robust cybersecurity systems in place can go a long way to ensuring your business protects personal data and thereby avoids a data breach and a fine under the GDPR. We can also say that the systems you have in place to protect personal data and ensure your business is GDPR compliant could be increasingly important in the context due diligence carried out before a merger or acquisition.
The first fines from the DPC are touted to be issued before the end of 2019 so we all wait with baited breath to see what we can learn about our own regulatory authority’s view on these and other issues!
If you have queries relating to cybersecurity and/or data protection or how your business can improve its cybersecurity, speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.