The ICO Is Raising The Stakes

Last week the news broke that hotel group Marriot is to be fined £99.2m by the Information Commissioners Office (ICO) after malicious attackers stole the records of 339m guests.

In November 2018, Marriot International, the parent company of hotel chains including, Westin, Le Méridien and Sheraton, admitted that customers personal data including credit card details, passport numbers and dates of birth had been stolen.

Following the enforcement of GDPR in May 2018, the ICO has begun to impose bigger GDPR fines with two high profile fines for breaching the GDPR guidelines coming last week alone: British Airways £183m and Marriot £99.2m.

Prior to these two announcements, the total value of all GDPR fines since the legislation was enforced in May 2018 stood at €56m with a significant portion of this being a €50m fine by French DPA (CNIL) against Google in relation to its use of personal data for personalising advertisements.

However, the ICO are really beginning to raise the stakes, businesses need to understand the significance of collecting and storing customer data and that the consequences of not taking measures to secure this information can be severe.

Unfortunately, although it is the larger high-profile businesses which make the headlines with the monumental fines when it comes to GDPR breaches, it is the smaller businesses which are more vulnerable.

Whilst a large business could absorb a fine amounting to €20m or 4% of global annual turnover whichever was greater, what would happen to your organisation if those numbers were levied on you?

Also, how would you rebuild your reputation and regain the trust of your customers who had moved over to other providers in the event their data was stolen?

Investing time and resources into improving your organisations defence against malicious threats is paramount to ensuring your sensitive data is kept secure. We have already outlined a number of basic measures your organisation needs to be taking to defend against cyber threats in a previous article which can be found here:

However, the ICO is looking for organisations to demonstrate that they have taken ongoing measures to ensure the safety of their data. Two of the most common measures organisations take are Vulnerability Assessments which can be conducted at regular intervals to check your systems and networks for known vulnerabilities and Penetration Tests which SES recommend you complete once a year and after each major version change.

As the GDPR legislation is now in full effect it is imperative that all organisations ensure that they are fully compliant with GDPR. If you haven’t yet taken measures to ensure your organisation is GDPR compliant or you have questions regarding GDPR compliancy, please get in touch to speak to one of our specialists. 

© SES Secure Limited and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content