The Information Commissioner’s Office, the UK’s data watchdog, now armed with the much-discussed General Data Protection Regulation has begun to flex its muscle and has expressed its intention to impose large monetary fines on companies who have suffered data breaches.

Earlier this month the ICO handed out a record fine of £183.39m to British Airways following breaches of its security systems in 2018. Not only was this a record fine from the ICO but was the first to ever to be made known to the public.

Before the introduction of GDPR, under the Data Protection Act 1998, the maximum penalty in the United Kingdom was £500,000, GDPR now allows a company to be fined a maximum of 4% of its worldwide turnover. This is why BA’s fine is substantially higher than Facebook’s £500,000.00 fine following the Cambridge Analytica scandal. For reference BA’s fine is the equivalent of 1.5% of BA’s global revenue for 2017.

The ICO also published its intention to fine Marriott International Inc more than £99m for its data breach.


In what Alex Cruz, Chairman and CEO of British Airways described as a “sophisticated, malicious criminal attack” hackers between 22:58 (BST) on 21 August 2018 and 21:45 (BST) on 5 September 2018 diverted people to a fraudulent site which was used as a vehicle to obtain the financial details of customers who were making or changing bookings were compromised. The attackers were able to steal the personal data of around 500,000 customers including their names, addresses, logins, payment card and travel booking details.

The Information Commissioner, Elizabeth Denham, had the following to say:

People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.

The ICO’s intention to fine British Airways can be found here.

Following the issuance of the notice of intention to fine from the ICO, BA has twenty eight days to appeal the fine. Alex Cruz indicated that BA were surprised and disappointed by the proposed penalty, as they had found no evidence of fraud on any of the accounts with a link to the data theft.


The international hotel group, Marriott, is also due to receive a £99,200,396 fine from by the ICO after hackers were able to access and steal the records of some 339 million guests. Hackers were able to access and steal the following personal details: credit card numbers, passports numbers, and dates of birth.

Marriott’s issues are as a result of Starwood Hotels’ systems becoming compromised in 2014. As Marriott only acquired Starwood in 2016, when the theft of customer information was already ongoing, it may at first glance seem like the fine is a little unfair, however, Elizabeth Denham laid down the following telling statement:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

The ICO’s intention to fine Marriott International, Inc can be found here.


The money recouped from fines that comes to the ICO goes directly to the treasury and is not compensatory. It is up to any individuals who have been affected by the breach to contact the companies facing the fine.

The message from the ICO is clear, you must treat your customers’ data with great care or face the very severe consequences.