By Greg Duke
In my previous blog post, I warned that the United Kingdom Information Commissioners’ Office (UK ICO) might be preparing to take a hard line on companies which fail to protect their customers’ personal data under GDPR regulations. On July 9, 2019, the UK ICO followed through on the threat in dramatic fashion. The Office fined British Airways £183 million ($228.3 million) for a breach which exposed 500,000 customers’ personal data and credit card details to a criminal hack; and, the Office announced plans to fine Marriott Corporation—a US-based company—£99.2 million ($123.8 million) for exposing the personal details of 339 million of its customers to third parties.
Not only are these two fines by far the largest levied under any European country’s GDPR regime (the previous largest was against Google for€50 million/$56 million by France in 2018), but the Marriott fine is also significant because the ICO ruling referred to breaches of data privacy committed outside of the UK against non-UK citizens.
While it remains to be seen whether that part of the ruling will stand, and while the ICO has yet to levy fines of this magnitude against foreign nonprofits as opposed to foreign corporations, the two fines announced this week represent a massive statement of intent to prosecute organizations which breach GDPR regulations.
If your organization does any fundraising in the United Kingdom or even if you just hold data on UK or EU citizens, now is the time to review your data integrity policies and procedures. If you have questions about GDPR, please comment below or feel free to ask me at firstname.lastname@example.org.