“The hotel group Marriott International has been told by the UK Information Commissioner’s Office that it will be fined a little over £99 million (A$178 million) over a data breach that occurred in December last year…
This is the second fine for data breaches announced by the ICO on successive days. On Monday, it said British Airways would be fined £183.39 million (A$329.1 million) for a data breach that occurred in September 2018.”
Sam Varghese of ITwire.
The scale of the fines issued to Marriott and BA is mind-boggling.
Here’s a link to the GDPR (General Data Protection Regulation) fine regime and determination process. Fines can be issued by GDPR policing agencies of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
Determination is based on the following questions:
- Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
The two examples listed above provide 282 million reasons for governments to police data protection more stringently than they do today. The regulatory pressure is only going to increase right? As I understand it, these processes are only enforced in reactive mode currently. What if the regulators become move to proactive mode?
Question for you – Looking at #7 above, do you think the customer information stored in your OSS/BSS is more or less “impactful” than that of Marriott or British Airways?
Think about this question in terms of the number of daily interactions you have with hotels and airlines versus telcos / ISPs. I’ve stayed in Marriott hotels for over a year in accumulated days. I’ve boarded hundreds of flights. But I can’t begin to imagine how many of my data points the telcos / ISP could potentially collect every day. It’s in our OSS/BSS data stores where those data points are most likely to end up.
Do you think our OSS/BSS are going to come under increasing GDPR-like scrutiny in coming years? Put it this way, I suspect we’re going to become more familiar with risk management around the 10 dot points above than we have been in the past.