If you are a UK business, there is a one in three chance that you are at risk of hefty GDPR fines. New data released by advisory firm RSM, shows that approximately 30% of UK businesses are still not GDPR compliant. It is imperative to ensure that you are compliant with all aspects of GDPR to satisfy regulators’ concerns. If you are still not GDPR compliant, now is the time to take action.
Marriot and British Airways Breaches
This July, two of the biggest GDPR fines to date were levied against British Airways and Marriot Hotels, these fines are still subject to an appeal at the time of writing.
British Airways has been fined £183 million by the British Information Commissioner’s Office (ICO).
In both cases, though, GDPR fines could have been avoided.
BA and Marriot GDPR Failings
In the case of BA, in 2018, cybercriminals were successful in harvesting personal data belonging to 500,000 customers by diverting them to a fraudulent site and they managed to harvest the data.
In the case of Marriot, 339 million guest records (including passport details), were harvested via a hack which took place between 2014 and 2016, at the time the company being Starwood hotels group (Marriot acquired Starwood in 2016). The breach was not discovered until 2018.
In both cases, the Information Commissioner’s Office has found BA and Marriot guilty of several GDPR compliance infringements.
- Stored customer data was not encrypted or anonymised. Data breaches have put real people at risk of personal and financial harm.
- Security audits by Marriot and BA failed to identify exploits used in hacks. Marriot Hotels were not aware of the data breach for 4 years.
Marriot delayed informing guests three months after the breach was discovered.
To have avoided GDPR fines, the ICO has ruled that BA and Marriot should have employed both stronger cybersecurity measures and auditing practices. These should have included encrypted storage of anonymised data records and faster security breach response times.
What Should Be on Your GDPR Checklist?
If you are a UK business which is still not GDPR compliant, the time to take action was yesterday. To avoid GDPR fines you need to act fast.
EU and UK businesses had 2-years to prepare for GDPR. At the very least, businesses need to invest in a comprehensive GDPR audit as soon as possible. Alternatively, if you are a startup or SME, it will be more economical (in most cases), to migrate existing landing pages and websites to fully accredited, GDPR compliant platforms like LeadLabs.
Getting to grips with GDPR retrospectively in 2019 can be costly and time-consuming. In many cases, websites will need to be completely redesigned. At the same time, new data security, storage, and access policies will need to be implemented. Migrating to platforms like LeadLabs completely automates this process. To find out more, click here.