Share to Facebook Share to Twitter Share to LinkedIn

More than a year and a half after the General Data Protection Regulation (GDPR) came into effect the impact of the new regulation is increasing, rather than being a buzzword that many expected to fade. Huge fines and a very vigilant, and increasingly better funded, ICO are reminding organisations of their obligations under the law to protect data.


GDPR was designed to give individuals a lot more control over their personal data and prevent abuse of this, either deliberately or accidentally, by large companies or public bodies. Regulations were put in place to ensure that processors and controllers of personal data had appropriate technical measures and processes in place to ensure the security of this data. This also defines that any personal data can only be processed (including being collected and stored) under the purpose of one of several lawful bases. For more information about GDPR please see our previous articles dedicated to this important piece of legislation

GDPR also increased the potential fines for companies violating these rules and regulations, up to a maximum of €20 million or 4% of the annual worldwide turnover of a company. This level of punishment should be enough to ensure that most businesses have their houses in order, however a few have fallen foul quite spectacularly and there have been some very high profile and sizeable actions taken in the first 18 months of GDPR’s existence.

GDPR Penalties

British Airways have received a potential fine of €204,600,000 (£183.39M). Up to 38,000 customers may have had their contact and financial information stolen. Malicious code was planted on the British Airways website which, when the site was used to transfer payment information, copies this information to the attackers.

Marriott International have also received a potential fine of €110,390,200 (£99.20M). Their guest reservation database had been compromised allowing unauthorised access from as far back as 2014 giving access to names, passport numbers, credit cards and other personal information.  Marriott noted that credit card information was encrypted, but was unable to rule out the possibility that the encryption key had also been compromised.

Other household names to come under the ICO’s scrutiny include the HMRC, for failing to protect sensitive biometric data. They received a notice but not yet a fine, however they will still incur significant cost to rectify the shortcomings highlighted in the notice.

The ICO maintains a list of actions and enforcements it has taken on its website for public review, accessible here.  Or you can view the GDPR Enforcement tracker

What does a potential “Brexit” mean for the GDPR?

The GDPR will continue to apply if or when the UK leaves the EU. The UK was one of the key drivers of the GDPR in the first place and has long been committed to data privacy and protection concerns. The GDPR will become part of UK law as part of the European Union (Withdrawal) Agreement, and will continue to function alongside the Data Protection Act 2018.

In order to ensure the unhindered flow of information between the UK and the EU the internal and external legislation will need to be harmonised meaning that to ensure it retains its 'third country' status the UK will need to demonstrate that, if not completely analogous, its data protection legislation must at least be as tough as its EU counterparts.

More information can be found here “GDPR and Brexit: How will one affect the other?” 


Regardless of the outcome of Brexit the ICO has demonstrated that it takes the business of data protection very seriously and has demonstrated this with the two largest GDPR fines of all the EU states so far.

A review of the enforcement pages shows that there is no bias when it comes to the ICO’s implementation of the law. The enforcements range from actions against individuals and small businesses up to multinational corporations, from several hundred pounds in fees and fines to hundreds of millions of pounds.

We recommend all businesses review their obligations and follow the guidelines for managing and safeguarding personal data.