GDPR taken more seriously after first fines

Security professionals are divided over whether the first fines issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) were appropriate, a survey shows.

While 43% of Twitter followers of security firm Tripwire polled said the GDPR fines for British Airways and Marriott International were “appropriate”, 42% said they should have been greater, while only 12% thought the penalties were too high.

In July 2019, the ICO announced its intention to fine British Airways £183m in connection with an incident in September 2018 when bad actors redirected user traffic to a fraudulent website that harvested the personal and account information of about 500,000 customers.

The ICO announced a day later that it planned to fine Marriott International £99m in connection with a November 2018 data breach that exposed personal data contained in approximately 339 million guest records globally, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA), including seven million in the UK.

Both companies have indicated that they intend to make representations to the ICO about the findings of its investigation and the proposed fines.

While the penalties are significantly greater than any previous fines issued by the ICO under former data protection laws, when monetary penalties were capped at £500,000, the poll revealed that security professionals did not believe the fines would necessarily drive any change in company policies and practices, especially in the light of the fact that they represent only around 1.5% of annual turnover for British Airways and Marriott International.

Only 25% said the fines were likely to change policies and practices, a similar proportion (22%) said they believed there would be no change, while 52% said there would be some change, but not enough. Only 29% said the fines made them more confident about their personal data privacy.

However, the most positive indication from the Twitter poll was that 60% said they believed the fines would cause their organisation to take the GDPR more seriously.  

“While these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected”

A separate recent survey revealed that almost a third of European businesses are still not compliant with the GDPR, but there are encouraging signs of increased maturity in data protection, with the new rules driving better, business-supporting practices.

David Meltzer, chief technology officer at Tripwire, said organisations playing the waiting game on GDPR – or any other data privacy regulation – should not delay any longer.

“As we wait to see how, or if, these fines will be paid out, GDPR enforceability has caught momentum. What’s interesting about the poll results is that while these fines might inspire more action on the companies’ parts, they don’t inspire more confidence in individuals that their personal data will be better protected.

“Organisations will have to continue working for their customers’ trust. Those who have put the right amount of focus in establishing best practice fundamental security measures have a head start,” he said.

The GDPR has brought consumer trust issues around data to the fore, according to Elle Todd, partner at law firm Reed Smith.

“The largest tech companies can’t escape it and have been reacting by ensuring that privacy heads the agenda in CEO speeches and conferences. However, too few other companies have recognised the opportunity that GDPR represents to engage with users about how their data is used and to do so in a way that is compelling and different,” she said in a recent opinion piece for Computer Weekly.