Below are some examples of large fines and actions issued in the UK under the General Data Protection Regulation (GDPR):
1. **British Airways (BA)**: In July 2019, the UK Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39 million for a data breach that compromised the personal and financial details of approximately 500,000 customers. The fine was later reduced to £20 million after BA appealed the decision.
2. **Marriott International**: Also in July 2019, the ICO announced its intention to fine Marriott International £99.2 million for a data breach that exposed the personal data of approximately 339 million guests. The breach occurred in systems associated with the Starwood Hotels group, which Marriott acquired in 2016. Marriott contested the fine, and in March 2020, the fine was reduced to £18.4 million.
3. **Ticketmaster**: In November 2020, the ICO fined Ticketmaster UK Limited £1.25 million for failing to secure its payment systems adequately, leading to a data breach affecting over 9 million customers across Europe. The breach occurred between February and June 2018 and involved malicious software on Ticketmaster’s online payment page.
4. **Cathay Pacific**: In October 2020, the ICO issued a fine of £500,000 to Cathay Pacific Airways Limited for failing to protect customers’ personal data adequately. The breach, which occurred between October 2014 and May 2018, exposed the personal details of approximately 111,578 passengers, including names, passport details, and travel histories.
These examples demonstrate the significant financial penalties that can be imposed for violations of the GDPR in the UK.
It is worth noting that fines are determined based on various factors, including the severity of the breach, the level of cooperation with the regulatory authority, and the measures taken to mitigate the impact on affected individuals.
Additionally, fines may be subject to appeal or negotiation, leading to potential reductions in the initial penalty amounts.
Contact us immediately for help if you suffer a data breach. In our experience, if all reasonable precautions were already in place and the breach is handled correctly, then it is possible that the ICO may not issue your company with a fine.