british airways gdpr fines

Marriott International and British Airways face combined fines of over £200 million for GDPR breaches.

The UK Information Commissioner’s Office (ICO) have filed intentions to fine two heavyweight companies, British Airways and Marriott International Inc. (Marriott), for substantial data breaches affecting a total of around 340 million customers.

The fines come in the wake of the General Data Protection Regulation (GDPR) introduced in May 2018, which has given the ICO greater powers to impose fines of up to 20 million euros or 4% of annual global turnover. We saw a glimpse of the strict implementation of data protection rules last year when Facebook faced sanctions for the infamous Cambridge Analytica scandal; however these are the first set of fines to be imposed under the new regulation.

On 8th July the ICO issued an intention to fine British Airways, which suffered a cyber incident whereby users of the company’s website were diverted to a fake version of the platform which fed their information to cyber-attackers. An issue with the third-party JavaScript software, Modernizr, was the cause of the breach. Despite problems with the software being known to the company, British Airways had failed to update their system for a number of years, which subsequently led to card details, booking information, private login details, and the names and addresses of around 500,000 customers being compromised. The hefty £183 million fine is largely due to the number of people affected by the breach and the length of time it took British Airways to discover the fault.

The next day the ICO announced its intention to fine hotel giant Marriott a total of £99,200,396 for a GDPR infringement dating back to November 2018. A fault in the guest reservation database of Starwood Hotel Group was not discovered by the company when it acquired the business in 2016. The ICO noted that Marriott had failed to undertake sufficient due diligence, which if carried out properly would have identified the problem with the Starwood database.

Commenting on the fines, UK Information Commissioner, Elizabeth Denham, warned: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected. Personal data has a real value so organisations have a legal duty to ensure its security, just like they do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

Marriott and British Airways will have 28 days to appeal the notice, and both companies have confirmed their intention to make representations to that effect.

Following the introduction of the GDPR, companies should be aware of the many risks and potential liabilities that come with handling data and personal information. These are not limited to financial penalties, as British Airways and Marriott have undoubtedly also suffered a lack of customer trust as a result of these incidents. Although companies are becoming more aware of these risks on a contractual level these most recent sanctions by the ICO highlight the need to obtain technical as well as legal advice in order to carry out substantial and fool proof due diligence which takes into consideration tech-based assets.

If you would like to discuss any aspect of the GDPR in relation to your business, please contact Matt Worsnop at

Published by

Categorised in: , , ,

Tags: , , , , ,