If data protection hasn’t crossed your mind much since the GDPR came into effect last year, then this month’s shocking announcements by the Information Commissioner’s Office (ICO) might give you pause.
Data in freefall
On 8 July, the ICO revealed British Airways (BA) was facing a record-breaking fine of £183 million for its widely publicised 2018 data breach. The incident saw 500,000 customers’ details harvested using a fraudulent website.
The following day, it was international hotel group Marriott’s time to face the music. For failing to protect the records of 339 million guests in November 2018, the ICO imposed a fine of £99.2 million. These were the first high-profile penalties under new GDPR rules to be made public.
The two substantial fines have eclipsed the previous record-holder – a penalty of £500,000, the maximum at the time, issued to Facebook in the wake of the Cambridge Analytica scandal. The reason? With the new data protection regulation also came new rules on reporting security breaches and new penalty powers for the ICO.
BA had originally claimed that travel and passport information had not been breached, the ICO’s investigation discovered that it had been, along with names, addresses, and payment card information.
After the BA news broke, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
Denham emphasised that the law is clear when it comes to the responsibility companies have to protect people’s personal data. “Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
If anything, BA got off lightly. The maximum penalty for data breaches is 4% of an organisation’s turnover. This multi-million-pound fine equates to just 1.5% of BA’s worldwide revenue in 2017.
Flights of fancy?
While the size of the fines might have come as a surprise to many, they’re also a welcome reminder of the importance of ensuring your organisation’s information security policy is compliant with current legislation.
Satisfying GDPR in 2018 alone won’t be enough to keep your company out of trouble – an up-to-date approach, through regular assessment, is the only way to guarantee your client,
customer, supplier and employee data is protected and your business isn’t breaking the law.
Our comprehensive information security services, carried out by our team of experts, do just that.
Your data, protected and certified
If protecting corporate information, preventing cyberattacks, and gaining your customers’ confidence is paramount to your business, then ISO 27001 Certification is essential. It demonstrates you have suitable systems in place to protect data from being accessed, corrupted, lost, or stolen, both online and offline, bolstering your brand’s reputation and giving you and your customers peace of mind in the process.
To find out more about how your business can gain ISO 27001 Certification.
It pays to protect
Don’t put the fate of your organisation in the hands of the hackers, risking data loss, reputational and financial damage, and potentially crippling fines. If it can happen to corporate giants like British Airways and Marriott, it could happen to your business, too. We can’t prevent criminals targeting your data, but with QMS’s experts by your side, our services provide the best possible defence.
Puzzled about your data protection policies? Fearful of a fine? Concerned about certification? Speak to one of our information security expert advisors today.