GDPR: the next challenge

GDPR (General Data Protection Regulation) has been a key regulatory challenge for firms in recent years as they rushed to ensure compliance before it came into play in May 2018. Since then, record fines have been issued to major organisations, including British Airways (BA), Google and H&M. In this report, we take a look at some of the high-profile examples of GDPR breaches and penalties, plus the key data-protection issues firms should be aware of as we approach the end of the Brexit transition period.

British Airways: £20m fine (reduced from £183m)

BA was fined £20m in October for data protection failings that led to a major cyberattack in 2018. Criminals gained access to the personal information of more than 400,000 BA customers, including their payment card details. The UK’s Information Commissioner’s Office (ICO) initially announced it would be pursuing a penalty of more than £183m from the airline, but this was later reduced to £20m after considering mitigating factors including the impact of the COVID-19 pandemic on BA’s profits. Nonetheless, £20m is still the largest fine ever issued in the UK under GDPR to date. 

The incident entailed website users being diverted to a fraudulent site where customer details were harvested by cyber criminals. It is believed to have begun in June 2018. An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place, which led to the attack, which was not detected for two months. Investigators ruled that BA ought to have identified weaknesses in its security and resolved them with security measures that would have prevented the attack.

Google: €50m fine

French regulator the CNIL (Commission Nationale de l’Informatique et des Libertés) fined Google €50m in January 2019 for GDPR violations relating to data collected for the purposes of advertising. CNIL ruled that Google failed to provide enough information about its consent policies and about how the data it collects is used to inform targeted advertising campaigns. In its justification of the penalty amount, the CNIL said: “The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations…Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”

Two privacy rights groups: noyb and La Quadrature du Net (LQDN) filed complaints against Google in May 2018. They claimed the tech giant did not have legal consent to process user data for ad personalisation purposes. Google provided the necessary information needed for users to give their consent, but it was done so in such a convoluted way that the regulator believed it did not meet GDPR requirements: “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” said the CNIL. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

H&M: €35.3m fine

In Hamburg, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has fined Swedish clothing giant H&M for GDPR violations in its use of unlawful employee surveillance practices. This case is interesting because it wasn’t the result of a cyberattack or misuse of consumer data. It involved management at the retailer’s Nuremberg service centre illegally collecting and storing personal information about its own employees and using it without their knowledge or consent to make employment-related decisions.

The information was gleaned using employee surveys and through informal conversations between members of staff around the office. The data gathered included sensitive personal information such as medical diagnoses, religious beliefs and even activities carried out during holiday time. Profiles were then created on individual members of staff and made available to key decision makers within the company.

The disturbing activity was uncovered in October 2019 when the files were accidentally made accessible to all employees due to a technical error. H&M apologised to and compensated the individuals affected. It has also put a number of mitigation measures in place, including the appointment of a data protection coordinator and an improved whistleblower process. The BfDi said H&M had demonstrated a “clear disregard for employee data protection” and that the penalty was “appropriate and suitable in order to deter companies from violating the privacy of their employees.”

Marriott International: £18.4m fine (reduced from £99m)

In July 2019, the ICO issued a statement of intent to fine hotel group Marriott International £99m for GDPR failures relating to a breach in the systems of Starwood Hotels, a company which was acquired by Marriott in 2016. The compromised data differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The ICO said it “considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business” before setting a final penalty of £18.4m.

In 2014, an unknown cybercriminal installed a piece of code known as a web shell onto a device in the Starwood Hotels system giving them remote access to the relevant device, and other devices on the network. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

An estimated 339 million guest records are believed to have been compromised, of which around 30 million related to EU residents and seven million to UK residents. It is believed the vulnerability began in 2014, but the breach wasn’t discovered or reported until 2018.

The potential impact of Brexit

There are potential serious implications for the handling of data post-Brexit. The free flow of data between the EU and the UK is not guaranteed after the transition period ends on December 31st 2020.  “If the EU has not made adequacy decisions in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to lawfully receive personal data from EU/EEA businesses (and other organisations) in the future,” says guidance from  “In this scenario, organisations will be required to put in place alternative transfer mechanisms to ensure that data can continue to legally flow from the EU/EEA to the UK. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).” The ICO has provided an interactive tool to help UK firms make use of SCCs and keep data flowing if the transition period ends without adequacy. It’s important that firms make preparations for this eventuality now, or they could suffer considerable disruption in the event adequacy is not reached – which if Brexit negotiations thus far provide any indication, is entirely possible.

EU-US Privacy Shield

Brexit is not the only development firms should be keeping an eye on with regards to data regulation. A ruling in July by the European Court of Justice (CJEU) banned the current EU-US data sharing security framework known commonly as Privacy Shield. The decision came after privacy campaigner Max Schrems took Facebook to court arguing that EU citizens’ data was not protected from unscrupulous US surveillance laws once it is transferred from the EU into the US. The CJEU found that Privacy Shield is not a valid way to transfer personal data outside of the EEA. The Data Protection Commission (DPC) of Ireland (where Facebook is headquartered) said: “Whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.” Although the use of SCCs was cleared in the ruling, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable,” it added.

This could impact banks and other financial institutions, in particular European banks that use third-party US companies for data management purposes. Eduardo Ustaran, a lawyer with London law firm Hogan Lovells told Bloomberg: A “European bank that uses a US company to store or analyse transactional data will be affected by the Schrems decision if that US provider either relied on the Privacy Shield or was subject to Standard Contractual Clauses. Customers of those banks will have the right to question the level of safeguards for their data, and data protection authorities have the power to scrutinise the same,” he said.


Reduced fines

Regulators have been taking into consideration the huge impact of COVID-19 when finalizing GDPR penalty amounts. In the UK, the ICO says it will “consider the economic impact and affordability” before issuing fines and “in current circumstances, this is likely to continue to mean the level of fines will be reduced.” Despite this, fines are still very much being issued, so firms should continue to prioritise data security at all times.

Remote working

The fallout from swathes of people swapping the office for remote working as global lockdown measures were hastily implemented in March is yet to be realised, but there is no doubt that data security issues will arise. Firms had little or no time to ensure staff members were using encrypted devices and may have been forced to use unsecured Wifi networks due to pressures on VPN capacity during the first peak of the pandemic. As many nations enter a second lockdown, firms should be better prepared, with long-term measures in place to support remote working. GDPR advice on ensuring compliance while working from home includes updating the cybersecurity policy to reflect new working arrangements; training employees and ensuring adequate support from the cybersecurity team; encryption of all data, whether in transit or “at rest” (stored on a device or network); limiting access to sensitive data; and keeping connections secure by using a corporate VPN.

NHS Track and Trace

In the UK, the NHS Track and Trace app, which is designed to notify individuals when they have been exposed to someone who has tested positive for COVID-19, has already created some issues when it comes to GDPR compliance. Bank branch workers at Lloyds and TSB have reportedly been asked to switch the app’s contact tracing functionality off whilst they are not with their phones to prevent false notifications occurring. Many banks ask employees to keep their phones stowed away in a locker during working hours in order to protect sensitive customer data in line with GDPR (although this is not a legal requirement.) This could have potential repercussions if employees feel they may have been put at risk by not having access to the app when in face-to-face contact with customers and other members of staff.

Further reading and useful tools

FAQs about the Max Schrems vs Facebook ruling and what this means for firms transferring data from the EU to the US:

Information from the GDPR on data security when remote working

Information from the UK’s ICO on data protection after the Brexit transition period (recommended to check for updates on the UK adequacy agreement):

Information from the European Commission on Standard Contractual Clauses:

An interactive tool from the UK’s ICO for Standard Contractual Clauses

Download GDPR report