CS1907
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GDPR<br />
fine is preliminary," states Ashley Hurst, partner<br />
and head of tech, media and comms at<br />
international legal practice Osborne Clarke.<br />
"Historically, fines were announced once the<br />
final decision regarding the amount of that<br />
fine was reached. It may be that the size of<br />
the proposed fine and the listed status of<br />
British Airways was such that there was no<br />
choice but for IAG to publicly announce the<br />
size of the intended fine."<br />
The proposed fine will also provide<br />
encouragement for a rapidly growing group<br />
of claimant personal injury lawyers looking<br />
to bring post-data breach claims for<br />
compensation, he adds. "It is often difficult to<br />
attribute a data breach to a breach of the<br />
GDPR and even more difficult to prove that<br />
such a breach has led to damage and distress,<br />
so it will be interesting to see whether the ICO<br />
will make any comment about this."<br />
Over the last year, speculation has been rife<br />
regarding the approach that the ICO will take<br />
to fines. "It is now clear that the ICO will not<br />
be gradually scaling up from its previous<br />
£500,000 maximum: the proposed<br />
£183.39m penalty is equal to 1.5% of British<br />
Airways' worldwide turnover of £12,226m in<br />
2017," adds Hurst. "This is substantially less<br />
than the possible maximum GDPR fine of 4%<br />
of worldwide annual turnover, but still<br />
startling and demonstrates more than ever<br />
that cybersecurity needs to stay on the board<br />
agenda." Prior to this announcement, the total<br />
value of all fines issued under the GDPR across<br />
all EU member states had amounted to 56<br />
million euros. This includes a 50 million euro<br />
fine by the French DPA (CNIL) against Google<br />
for what the CNIL considered to be a lack of<br />
transparency, inadequate information and<br />
lack of valid consent, in relation to Google's<br />
use of personal data for the purposes of<br />
personalising advertisements.<br />
And Osborne Clarke’s Hurst adds: "When the<br />
decision is finally published, this case should<br />
provide some long-awaited clarity regarding<br />
the ICO's exercise of its enforcement powers<br />
and, in particular, what it considers to be<br />
'appropriate technical and organisational<br />
measures' to protect personal data, which is<br />
the key technical standard littered throughout<br />
the GDPR."<br />
ANOTHER BIG TARGET<br />
Following on from the BA debacle, Marriott is<br />
next up, as it also faces a huge data fine: £99<br />
million for allegedly failing to protect customer<br />
data. The hotel chain acknowledged in a<br />
regulatory filing in July this year that Britain's<br />
Information Commissioner's Office intends to<br />
impose the fine under the GDPR.<br />
Jake Moore, Cybersecurity Specialist at ESET,<br />
had this to say in the wake of the news<br />
breaking: "Well, the snowball has surely<br />
started to gain momentum now and this just<br />
highlights that it's not just UK companies at<br />
risk of eye-watering fines either. Other firms<br />
who suffered from large breaches post-May<br />
25, 2018, better start saving, because the ICO<br />
Gregory Voss, TBS Business School: the<br />
relatively low levels of GDPR fines is a<br />
reflection of the time it takes to conduct<br />
investigations.<br />
Jake Moore, ESET: other firms who suffered<br />
from large breaches post-May 25, 2018,<br />
better start saving, because the ICO clearly<br />
means business.<br />
FALLING SHORT<br />
For Jason Hart, cybersecurity evangelist, Thales, GDPR hasn't improved data<br />
protection to the extent many in the industry had hoped. "With the number of<br />
breaches being reported dramatically increasing, it's clear the threat of fines and<br />
a potential hit to their reputation is only having a small impact on how seriously<br />
businesses take their cybersecurity. Worse, just a tiny percentage of the attacks can<br />
be considered 'secure breaches', where the stolen data is encrypted, rendering<br />
it useless to cybercriminals. Unless businesses are made to adhere to GDPR<br />
recommendations such as encrypting data directly it will continue to have minimal<br />
impact in the UK."<br />
www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security<br />
11