UK ICO Flexes Its Muscles in Issuing Significant Fines for Alleged GDPR Infringement

July 17, 2019

Signaling its intent to take personal data protection and cybersecurity seriously, the UK Information Commissioner’s Office recently proposed two significant fines on global organizations. Firms should take note and ensure that cybersecurity is top of mind in the design and implementation of technology and outsourcing strategies.

The UK Information Commissioner’s Office (ICO) lobbed a metaphorical hand grenade into the technology and outsourcing world by announcing on July 8 that it had issued a notice of intention to fine British Airways just over £183m ($227.5 million) for alleged infringement of the EU General Data Protection Regulation (GDPR). The fine, which British Airways is contesting, relates to a cyber incident that British Airways disclosed to the ICO in September 2018, in which the personal data of approximately 500,000 British Airways customers was compromised. The start of the incident is believed to have occurred in June 2018, notably just weeks after the GDPR came into force on May 25, 2018.

What has inevitably caught the eye of businesses and commentators is the sheer magnitude of the fine, which amounts to approximately 1.5% of British Airways’ global turnover. Or, perhaps more interestingly, just over 366 times the ICO’s largest prior fine of £500,000 ($621,770), which was the maximum level permitted under the pre-GDPR rules.

Just a day later, the ICO issued a statement announcing a notice of intention to fine Marriott International, Inc. (Marriott) more than £99m ($123.1 million) for a separate alleged infringement of the GDPR, which Marriott is also contesting. The ICO stated that the proposed fine relates to a cyber incident of which Marriott notified the ICO in November 2018.

The size of the proposed fines is reflective of the greater enforcement powers enjoyed by the ICO, which can now impose a fine of up to 4% of global turnover under the GDPR. However, the amounts of the fines have taken many in the cybersecurity and privacy industry by surprise, in part because of public statements made by the ICO in April 2018 that “I have no intention of changing our proportionate and pragmatic approach after 25 May,” and, in particular, in December 2018 that “companies who are trying their best to comply with the rules and are cooperating with EU regulators can expect to engage the advisory and warning end of our toolkit.” The ICO stated that both British Airways and Marriott have cooperated with the ICO’s investigation. However, these public statements must also be interpreted alongside warnings from the ICO that “hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law.”

Interestingly, in the case of both British Airways and Marriott, the ICO is acting as lead supervisory authority on behalf of other EU member state data protection authorities whose citizens are impacted by the cyber incidents. Under the GDPR’s “one-stop shop” mechanism, those other data protection authorities will have the chance to comment on the ICO’s findings, including the amounts of the proposed fines. Those amounts may be intended as a signal to the EU that the UK intends to continue to take compliance with the GDPR seriously post-Brexit, potentially assisting in discussions around a decision of “adequacy” that the UK will seek once it becomes a “third country” upon leaving the EU.

The Facts

The ICO’s reasoning for the fine amount in each of its announcements has not yet been made public, and will no doubt form part of the ICO’s final decision notices in each case. In particular, it is not yet clear whether there was any conduct in either case amounting to the type of “persistent, deliberate or negligent flouting of the law” previously referred to by the ICO (which might go some way toward explaining the level of the fines), or on what basis the magnitude of the proposed fines was calculated.

However, firms will naturally be concerned about the level of the proposed fines and will be keen to understand the reasoning behind the ICO’s decision and quick succession in setting fines of this magnitude.

The ICO’s final decisions in these cases will therefore be an important step in helping firms to understand both how the ICO is likely to go about enforcing the data security obligations under the GDPR and what its expectations are in relation to the technical and organizational security measures that firms are expected to undertake.

Fines or civil monetary penalties are subject to a right of appeal to the First-Tier Tribunal General Regulatory Chamber against the imposition of the penalty and/or the amount of the penalty. British Airways and Marriott will each now have the opportunity to make representations to the ICO as to the proposed findings and sanctions.

What Should Firms Do?

Many firms have embarked on (or are still undertaking) GDPR compliance programs and these efforts should continue. Data security obligations under the GDPR are imposed on both “data controllers” who determine how and why personal data are collected and “data processors” elsewhere in the supply chain, including outsourced service providers and other suppliers who process, store, or otherwise handle or interact with personal data on their customers’ behalf.

All of those firms should regularly

  • review internal and vendor IT security arrangements (including IT security policies and data breach discovery processes) against the security requirements contained in the GDPR and the relevant guidance issued by the relevant EU data protection authorities (for example, see the UK ICO’s guidance on security); and
  • map and evaluate the inclusion of any third-party software, ensuring robust change control measures are followed within their own organizations but also by their third-party IT vendors and subcontractors.

    In particular, parties (both customers and suppliers) to IT and other technology procurements should carefully review their new and existing contractual arrangements, including by

  • reviewing IT security and data breach reporting obligations;
  • ensuring that those contracts reflect the contractual clauses mandated under Article 28 of the GDPR (for more information, see Part 1 and Part 2 of our Tech & Sourcing @ Morgan Lewis series on the GDPR and processing addendums); and
  • ensuring that issues of allocation of risk and limits of liability for cyber incidents are properly articulated.

Customers, in particular, should consider carefully how their overarching obligations of accountability under the GDPR are reflected in their dealings with third-party suppliers and other partners. One way to achieve this is to ensure that the contract contains a clear demarcation of responsibility for assessing the privacy and security implications of new and existing services, including changes to both the services and the cybersecurity landscape over the life of the arrangement. This might include requiring suppliers to conduct privacy impact assessments for certain types of change and ensuring that key change and project procedures are robust and incorporate principles of “privacy by design.”


The Morgan Lewis technology, outsourcing and commercial transaction team and privacy and cybersecurity team will be following developments closely, and we will provide updates once the final decision notices in each case are issued.

In the meantime, the message from the ICO seems clear: It is not afraid to wield its considerable powers under the GDPR where firms are found wanting in the measures taken to protect the security and confidentiality of personal data.

With the UK ICO in the spotlight as the lead supervisory authority for both these global organizations, the fines show how willing the ICO is to deal with data breach incidents quickly and seriously, as it conducted these comprehensive investigations in a matter of months.

The proposed fines will set the standard for the rest of Europe, indicating that in a post-Brexit world, it is unlikely the UK will fall short in having stringent data protection standards and penalties, despite being a “third country” without an adequacy decision from the European Commission.

For firms, cybersecurity should be front and center—if it isn’t already—when it comes to the design and implementation of your firm’s technology and outsourcing strategies, whatever your industry or sector.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Mike Pierides