25 May 2018 is a date likely etched on the hearts of information controllers everywhere: the date the General Data Protection Regulation (GDPR) came into force. Fifteen months on from the introduction of GDPR, what changes have we seen? Have any companies received the dreaded fine of 4% of their annual global revenue?

As we are likely all aware, the EU GDPR is the most important change in data privacy regulation in 20 years, transforming the way in which personal data is collected, shared and used globally. Most processing of personal data is now subject to the GDPR. The Regulation requires a lawful basis for processing data, incorporates seven key principles (such as accuracy, accountability and data minimisation) and provides various rights for individuals (such as the right of access and the right to object).


So what fines have resulted since the GDPR came into force? The powers of the Information Commissioner's Office (ICO) were bolstered significantly with its introduction.

The biggest fine to date has been for £183.39 million. In July 2019, the ICO announced that it had fined British Airways and its parent company, International Airlines Group (IAG), in connection with a data breach that took place last year – affecting 500,000 customers who had browsed and booked tickets online. This fine was 1.5% of BA's total revenues for the year ending December 2018, but could have been as much as 4%.

A day later, the ICO fined Marriott International £99.2 million. This related to a cyber-breach in another hotel chain that Marriott subsequently bought.

As this breach was reported to the ICO in November 2018 (once GDPR was in force), the fine was substantially higher than it would have been under the previous Data Protection Act. Under that Act the maximum fine would have been £500,000.

Looking to the rest of Europe, a hospital in Portugal was fined €400,000 (roughly £350,000) for a range of failures, including a profile management system which showed the profiles of 985 registered doctors (despite the fact that there were only 296 doctors engaged at the hospital) and gave doctors unrestricted access to all patient files, regardless of the doctor's specialty.

Going forward

We can see that data regulators such as the ICO are not afraid to issue large fines and that data privacy and protection are to be taken seriously. Although the fines highlighted above are at the higher end of the scale, it is likely that more will follow. These have been imposed on a range of companies – such as a hotel chain and a hospital, not just tech companies as you might expect.

Going forward, the ICO has stated that its main areas of focus will be:

  • cyber security;
  • AI, big data and machine learning;
  • web and cross-device tracking for marketing purposes;
  • children's privacy;
  • use of surveillance and facial recognition technology;
  • data broking;the use of personal information in political campaigns; and
  • freedom of information compliance.

Companies should continue to audit their current compliance and ensure that staff are adequately trained in GDPR. It is worth noting that BA was externally hacked and no customer suffered any financial loss, yet they received a substantial fine nonetheless. Marriott was fined for IT security failings that were present before it even bought the company responsible, so companies need to take every precaution to avoid incurring hefty fines.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.