Only yesterday we saw the first proper fine of the post-GDPR era. A mere £183m. Today we hear that the ICO also intends to fine Marriott hotels just under £100m. More than a quarter of a billion pounds in 48 hours. For context, in the whole of last year the total fines for data protection breaches in the UK came to less than 8% of that number.
And so far these are basically fines for failures to comply with Article 32 (appropriate technological controls) and Article 5.1e (data retention). In other words, keeping too much stuff for too long without looking after it properly.
Wait ‘til they fine someone for really breaching the Regulation – like processing data without justification, or misusing special category data. More examples will definitely be made.
Don’t be one of those examples.
- Know what data you have
- Know what you do with that data
- Be able to explain why
- Be sure your explanation is compatible with the law
- Process and keep only what you can prove you need
- Tell data subjects what you have, what you’re doing and why
- Keep proper records of what you’re doing
- Know who’s in charge of data
- Look after data properly
- Don’t share data carelessly, and always know where it’s been and is going
There. Call it £10m per bullet point. Cheap at twice the price.
A bigger picture 