The Information Commissioner's Office has, over the past 48 hours, published its Notices of Intent for two of the GDPR-era enforcement cases that I have been writing about for nearly a year. British Airways: £183.39 million, equivalent to 1.5% of BA's 2017 worldwide turnover, for the September 2018 Magecart-pattern breach affecting approximately 500,000 customers (ICO statement on BA NoI). Marriott: £99.20 million, for the Starwood-database breach disclosed in November 2018 affecting approximately 339 million guests (ICO statement on Marriott NoI). The numbers are large enough to settle the question of what GDPR enforcement looks like in practice — substantially larger than the pre-GDPR maximum of £500,000, but materially below the headline-grabbing 4%-of-turnover ceiling.
The cases will not produce final fines at the NoI figures — both companies have the right to make representations, both have indicated they will appeal. The actual fines, when they land in 12-18 months' time, will likely be reduced from the NoI figures based on the represented mitigation, the cooperation level, and the various procedural arguments that the affected companies' counsel will make. The reduction is, on regulatory-precedent analogues from other domains, likely to be in the 30-60% range. Even at the lower end of likely final figures, however, the cases will set the new floor for what serious GDPR enforcement looks like.
The structural conclusions for the customer briefings. First, the GDPR enforcement environment is real, the numbers are material, and the customer-organisation programmes that have been treating GDPR as a tick-box exercise rather than as substantive operational practice are now demonstrably exposed. Second, the calculation of the NoI figures has, on the limited public detail, used the affected-data-subject population scale and the duration of the exposure window as principal factors. Customer organisations holding large customer-data populations are at higher exposure to comparable enforcement; the architectural disciplines that limit data retention and segment customer-data populations now have a quantifiable financial benefit. Third, the cases are both supply-chain-shaped — BA via the Magecart third-party-script mechanism, Marriott via the acquisition-integration of an unfound persistent intrusion — which reinforces the supply-chain-security investment we have been advocating for two years.
For the portfolio, the GDPR enforcement signal validates the programme work that has been the dominant strategic theme since 2016. The customer organisations that have invested substantially in attestable GDPR posture — Browne Jacobson, Towry, the financial-services firm — have a defensible position against any future enforcement scrutiny. The customer organisations whose programmes have been less mature — the manufacturer's overseas subsidiaries, in particular — are visibly exposed. The Q3 customer-board cycles are, on the evidence of the conversations this week, going to be sharper than the previous cycles in customer-organisation engagement on the data-protection programme.
The wider regulatory-conversation implications are substantial. The European supervisory authorities are watching the UK ICO's enforcement calibration carefully, and the BA and Marriott cases will inform the enforcement decisions in other jurisdictions. The French CNIL's January 2019 Google fine of €50 million (CNIL Google fine, January 21) was the previous high-water mark of GDPR-era enforcement; the BA and Marriott NoIs reset the bar substantially upward. The expectation through 2020 is that comparable enforcement actions will land in other EU jurisdictions on a steady cadence, and the customer-organisation programmes need to plan accordingly.
For the customer briefings I am doing this week, the message is that GDPR enforcement is now a quantifiable risk that customer-organisation boards can model, and the investment in compliance posture has a defensible commercial return. The cost of the programme work has been substantial — for the customer-organisation programmes I have been managing, the aggregate cost across 2016-2019 has been in the millions of pounds for the larger customers — but the cost of being on the wrong side of an ICO investigation is now, on the BA and Marriott NoIs, substantially larger. The cost-benefit framing is, finally, clear in both directions.
I will write more as the cases proceed through representation and final-fine determination. The precedent value of the ICO's reasoning — particularly the assessment of "appropriate technical and organisational measures" under Article 32 — is going to be at least as important as the financial figures themselves, because that reasoning will inform supervisory expectations across the EU for several years.