Three ways to avoid high profile GDPR fines


Three ways to avoid GDPR fines


Despite news reports of the Information Commissioner’s Office (ICO) massively reducing some hefty and high-profile fines, GDPR penalties have not gone away. In this report we look at what happened originally when BA and Marriott were handed out their fines, and give you three ways to minimise the chances of the same happening to your company under the General Data Protection Regulation (GDPR).

In the run up to the original GDPR deadline, the driver behind compliance was fine avoidance; under GDPR organisations face fines of up to €20m or 4% of annual global turnover. Then the deadline hit, and all eyes nervously darted around waiting to see who would be the first to fall.

Most companies waited and watched. After the frenzied preparations for GDPR, largely focused on manual documentation and processes, there was little appetite to plough on with buying the tools to actually deal with the privacy risk of over retained and poorly secured data. After all, everyone thought Facebook and Google will be fined, not our company, right?

British companies spent an average of £1.3 million to ensure their GDPR compliance1

In April 2019, the first significant fine hit Bounty, a pregnancy and parenting club; £400k for illegally sharing personal information belonging to more than 14m people – not exactly the mother of all fines, but something.

Then finally the ICO laid down the law with some bigger scalps. In a single week back in 2019 it issued two hefty fines:

£99m to Marriott: after hackers accessed its Starwood guest reservation database, accessing 383m guest records, 18.5m encrypted passport numbers and 9.1m encrypted payment cards.

£183m to British Airways: after the personal details of 500k customers were harvested in a ‘sophisticated, malicious criminal attack’ on BA’s website by outside hackers.

What was interesting about both of these, was that despite repeatedly been told to expect fines of up to 4% of a company’s turnover, the fines were actually approximately 1.5%.



It’s interesting to look at the nature of the breaches. In both cases the hackers breached security with the intent to intercept and steal personal data. In the case of BA, it was an e-commerce website attack from the perimeter fence, rather than a leak of customer data from the ‘inside’ of BA’s data estate.

Of the 14,000 breaches reported and investigated, 12,000 were closed within a year, and 82% resulted in no action from the ICO.

It’s possible that when the ICO investigated, it discovered that both organisations had made some effort to reduce the overall risk of a data breach under most of the principles of the GDPR. Maybe overall, they were doing a good job of ensuring their general compliance with the new regulations, but an embarrassing high-profile website hack attack was enough to warrant a 1.5% fine.


There are many ways to be in breach

Any organisation could be an unfortunate victim to sophisticated and deliberate external attacks. Hackers with enough intent can often find a way to exploit the slightest vulnerability within e-commerce websites. However, in reality, the core of GDPR is actually about approach to data collection, storage and management – not so much about e-commerce security in the purest sense.

The BA and Marriott breaches literally touch the surface of what privacy compliance requires from organisations. Despite having the fines reduced to a fraction because the travel industry was so catastrophically affected by Covid lockdowns, the original fines focus on just one of many ways to lose customer data, so a holistic approach is needed.

It’s why organisations need a broad approach to good information governance and process, not just perimeter cyber-security. While much of the headline-grabbing might be around preventing deliberate theft, you can’t afford to rest on your laurels when it comes to good data management practice across your data estate.

Achieving ‘compliance’ to regulation is a constant mission and aim, not something that can be ticked off, marked complete and put to bed.

So what can you do to strengthen your data security to enable governance, risk management, retention, cybersecurity and compliance with privacy regulations?

Here, we focus on three key areas:


1. Prioritise critical customer systems first

Should your organisation suffer a breach, “not knowing” that you have unseen data or inconsistencies in the treatment of data is not a permissible excuse in the eyes of regulatory bodies such as the Information Commissioner’s Office (ICO) in the UK. This means that not only do organisations have to set aside adequate time and money to undertake discovery, they need to be prepared to make time to assess, understand and decide what to do about unexpected data.

As an example, what would you do if you found that your marketing organisation had three databases which contained a mixture of duplicated and unique data? How would you consolidate and organise the data and how long would it take to go through that process?

In late 2019 the German regulator fined Deutsche Wohnen £12.5m for running a data archive that had no measure or systems for handling over-retained or out of policy data. With that precedent set so early on, it was a lesson to every business - that, put simply, they need to know their data or risk a huge fine from the regulator.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear; when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Elizabeth Denham, UK Information Commissioner.

The UK Information Commissioner makes it clear that prioritising critical customer systems is vital. The C-Suite in any business, particularly in those storing any kind of customer data, must be at the forefront of driving efforts to identify and secure those systems and that means starting with the perimeter fence – or your cyber security efforts.

Understand where vulnerabilities in the external, customer-facing systems are and take action to secure those.


So how can you protect personal data from an attack? Here are three practical steps:


Assess whether it is worth upgrading or retiring systems

Companies of all sizes are using huge numbers of software systems and applications, a subset with customer data stored within, and a smaller subset of critical systems handling and storing financial or sensitive data and transactions. The first step is identifying and risk-scoring each of these, to prioritise what happens next

Audit what you find based on risk

Run an audit of every system you have to understand where the weaknesses may be in your perimeter wall. Does the business still use all of them? Are there legacy systems that could be weaker than others?

Strengthen your cyber security processes and systems.

We won’t attempt to cover the huge area of cyber security in this article. If you need help in this area, speak to us, we have partnerships with some of the world’s leading cyber security companies. Having done these three things, it feels as though the probability of compromise of BA’s e-commerce platform may have been reduced dramatically.


2. Remember to keep your whole data estate in order

Once you’ve done all you can on critical customer data systems, you still have work to do. For all the customer data secured in the correct locations, there’s bound to be ‘toxic’ customer data lurking around your estate in the form of ‘unstructured’ data, such as documents. This customer information is often stored incorrectly due to human error, or employees just trying to get their jobs done in a hurry.

It’s this unstructured data that:

  • Unhappy employees target when they’re looking to attack your organisation with “weaponised” subject access requests.
  • The ICO will look poorly on if left unmanaged and unknown in the event of a data breach.
  • Becomes ‘dark’ in your organisation, putting you at risk since you’re completely oblivious to what information you actually hold.

79% of consumers believe organisations won’t be able to find all the personal data that is held about them2


Make sure you keep your house in order by using data discovery software, which finds your customers’ and employees’ personal data and starts cleaning up. The key here is to make sure that nobody stumbles across, then steals or reveals valuable customer data from an old file share that you didn’t even know exists.

At Exonar we have seen that as much as 9% of an organisation’s structured data contains personal information in one form or another.


Here are three practical steps you can take to get your data estate in order:

Discover your data

You need to be able to see what you’ve got and where it’s stored, so you’ll need software that will help you uncover your structured and unstructured data at scale and across all of your systems.

Understand what you’ve got

The ability to search your data using specific keywords or to accurately identify Personal Identifiable Information (PII) in various forms within your unstructured data is key. Identifiers like ‘credit card’, ‘ethnicity’ or ‘date of birth’, or a combination of these, allow you to identify toxic data, to know where it is located and to understand who has access to it. Enabling multiple search terms is key to understanding what personal information you have and where it is stored.

Take action in your data

Once you know what you’ve got, you may need to move or delete that data to prevent it being compromised in the event of a data breach. If data has been left around your estate, you should also look at reviewing policies to ensure that employees and business processes are not elevating the risk of data loss, inadvertently or unnecessarily. By keeping your ‘house in order’ when it comes to your data estate, the probability of risky information and data finding its way into the wrong hands can be hugely reduced.


3. Seek broad data best practice to balance risks

It’s important to note that the purpose of GDPR legislation is about applying common-sense process to the full lifecycle of customer data, not just the application of cyber-security solutions to prevent external attack (although that’s obviously important too).

The key thing is to understand, document and continuously review what you’re doing in relation to each of the seven key principles, aiming for best-practice in each area.


Here are 3 steps towards data best practice you can take right now:


Revisit and assess your GDPR policies

With the benefit of a year of GDPR processes under your belt, now’s the time to revisit and reassess how compliant you are. In an ideal world you’ll be doing this annually:

1. How have your policies and processes played out?
2. Given the nature of these first major fines since GDPR, has anything changed with your approach?
3. Has your organisation or its processes changed or evolved?
4. Has the overall risk profile of your organisation or industry changed in any other ways?

Define how you process personal data

This is a key one for the ICO. Where you’ve identified what processes for personal data processing need to be updated, ask yourself these three questions:

What data should not be processed where?
What data should be deleted and when?
What data poses an unacceptable risk to the business?


To answer these questions, analyse your data inventory and think about the types of personal data processing that would pose privacy, security, and business risks to your organisation.

Keep your internal teams up to date

The importance of training shouldn’t be underestimated. A year on, do your staff still know what your GDPR policies are and how to apply them? The human element is a key part of processes, and in reality, data is in the hands of internal teams on a daily basis. Refresh training on data management and how to handle it.


Reminder: The seven key principles of the GDPR are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

It could have been a lot worse

The regulator has flexed its muscles and is ready to act. In fact data protection regulators have handed out 50 GDPR fines across Europe since 2018 to the tune of £482m. (Read our blog 'Analysis reveals 2 key reasons behind 70% of GDPR fines')

While the levels of fines we’re starting to see are mind boggling, we believe BA saved itself a further £300m in fines because when the inspectors from the ICO arrived at their offices, they saw efforts to comply with GDPR had been made with several risks mitigated. And has been in then news with a further massive reduction in the fine by the ICO to £20m. However, that's still a large amount.


Minimising the risk of being fined under the GDPR is as simple as:

1. Prioritising sensitive systems
2. Keeping your data estate in order
3. Pursuing best-practice to balance risks

Under GDPR, the ICO has broader powers and needs to be firm but fair. It means the regulator has greater control and flexibility to access companies’ data protection practices, the power to issue assessment notices, and the ability to escalate investigations where necessary – especially in the event of a data breach.

“We received around 14,000 PDB (personal data breaches) reports from 25 May 2018 to 1 May 2019. For comparison, we received around 3,300 PDB reports in the year from 1 April 2017.”



Of the 14,000 breaches reported and investigated, 12,000 were closed within a year, and 82% resulted in no action from the ICO.

But for the remaining 2,000 under investigation, there is unnecessary worry and stress; focus is been taken away from the business and pointed towards satisfying the ICO’s requirements.

And as the people accountable for good data management practice, the Chief Information Security Officer (CISO) and the Data Protection Officer (DPO) have remained firmly in the firing line.

Experiencing a breach doesn’t have to be career ending, or even result in the maximum 4% fine. As we’ve seen with both Marriott and BA, it’s all about mitigating risk across the board.

Show how you’ve tightened security inside your data estate and followed the process to protect personal data. Acknowledge what was taken and notify the individuals involved as soon as the breach occurs, along with the measures you’ve put in place to ensure it can’t happen again.


1: “British businesses throw £1.3 million to ensure GDPR compliance – survey”, Computing, (February 2018), british-businesses-throw-gbp13-million-to-ensure-gdpr-compliance-survey
2: “2018 Veritas GDPR Consumer Study”, 3GEM, es-with-onslaught-of-dataprivacy-requests-following-deadline-for-gdpr-compliance
3: “GDPR: One year on” (2019), Service%20Expectations%20Gladly.pdf


Start discovering your data today

Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?

Book a demo today

 “Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”

Dave Parker, Group Head of Data Governance, Arrow Global