{"id":5063,"date":"2019-09-13T09:38:15","date_gmt":"2019-09-13T08:38:15","guid":{"rendered":"https:\/\/www.infolaw.co.uk\/newsletter\/?p=5063"},"modified":"2021-01-09T15:30:49","modified_gmt":"2021-01-09T15:30:49","slug":"first-gdpr-level-fines-uk","status":"publish","type":"post","link":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/","title":{"rendered":"First GDPR level fines in the UK"},"content":{"rendered":"<p>One of the key changes brought about by the <a href=\"https:\/\/www.infolaw.co.uk\/newsletter\/2016\/09\/introducing-the-gdpr\/\">General Data Protection Regulation<\/a> (GDPR), which came into force on 25 May 2018, was a substantial increase in the maximum fines available for data protection breaches, to the higher of \u20ac20 million or 4% of global annual turnover. Any breaches which occurred prior to this date were subject to a maximum of \u00a3500,000 set by the Data Protection Act 1998 &#8211; and this former upper limit was only invoked once, in the case of <a href=\"https:\/\/www.bbc.co.uk\/news\/technology-45976300\">Facebook and its part in the Cambridge Analytica<\/a> scandal. Many commentators pointed out that half a million pounds was \u201cchump change\u201d for the likes of tech giants. The same couldn\u2019t be said of the<a href=\"https:\/\/www.bbc.co.uk\/news\/business-48905907\"> \u00a3183 million fine<\/a> which the Information Commissioner&#8217;s Office (ICO) levied on British Airways (BA) less than a year later.<\/p>\n<p>According to the ICO, a malicious hack of BA\u2019s website began in June 2018 (ie after the GDPR came into force) and led to the personal details of some 500,000 passengers being compromised, including names, emails and credit card information. The record breaking fine amounts to 1.5% of the worldwide turnover of BA in 2017 &#8211; so it could have potentially been a lot higher. It has <a href=\"http:\/\/www.travelweekly.co.uk\/articles\/339405\/ba-to-appeal-183m-data-breach-fine\">been reported<\/a> that BA will appeal the fine.<\/p>\n<p>Following the announcement of the BA fine, the ICO took another bite out of corporate profits with its new teeth the very next day, <a href=\"https:\/\/www.theguardian.com\/business\/2019\/jul\/09\/marriott-fined-over-gdpr-breach-ico\">proposing a \u00a399.2 million fine<\/a> for the international hotel group Marriott as a consequence of a data breach in which cyberattackers stole the records of around 339 million guests.<\/p>\n<p>These GDPR level fines, rather than being merely being symbolic, are probably a sign of things to come. Companies which have hitherto paid lip service to cybersecurity &#8211; particularly those which process vast amounts of personal information &#8211; need to sit up and take note of the ICO\u2019s new armoury.<\/p>\n<p>Image <a href=\"https:\/\/www.flickr.com\/photos\/descrier\/35440117101\">cc by Descrier on Flickr<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in the maximum fines available for data protection breaches, to the higher of \u20ac20 million or 4% of global annual turnover. Any breaches which occurred prior to this date [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":5065,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,164],"tags":[],"class_list":["post-5063","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection","category-regulation"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\r\n<title>First GDPR level fines in the UK - Internet for Lawyers Newsletter<\/title>\r\n<meta name=\"description\" content=\"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_GB\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"First GDPR level fines in the UK - Internet for Lawyers Newsletter\" \/>\r\n<meta property=\"og:description\" content=\"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/\" \/>\r\n<meta property=\"og:site_name\" content=\"Internet for Lawyers Newsletter\" \/>\r\n<meta property=\"article:published_time\" content=\"2019-09-13T08:38:15+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2021-01-09T15:30:49+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg\" \/>\r\n\t<meta property=\"og:image:width\" content=\"640\" \/>\r\n\t<meta property=\"og:image:height\" content=\"400\" \/>\r\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\r\n<meta name=\"author\" content=\"Alex Heshmaty\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:creator\" content=\"@nickholmes\" \/>\r\n<meta name=\"twitter:site\" content=\"@nickholmes\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Heshmaty\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/\",\"name\":\"First GDPR level fines in the UK - Internet for Lawyers Newsletter\",\"isPartOf\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg\",\"datePublished\":\"2019-09-13T08:38:15+00:00\",\"dateModified\":\"2021-01-09T15:30:49+00:00\",\"author\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/daff2a47987956c44c74c8e136c0ffde\"},\"description\":\"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in\",\"breadcrumb\":{\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg\",\"contentUrl\":\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg\",\"width\":640,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.infolaw.co.uk\/newsletter\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"First GDPR level fines in the UK\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#website\",\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/\",\"name\":\"Internet for Lawyers Newsletter\",\"description\":\"Edited by Nick Holmes\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.infolaw.co.uk\/newsletter\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/daff2a47987956c44c74c8e136c0ffde\",\"name\":\"Alex Heshmaty\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dd8296d053e8fde73684687cf6357300702da710fec385800bf0bf74f12a5916?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/dd8296d053e8fde73684687cf6357300702da710fec385800bf0bf74f12a5916?s=96&d=mm&r=g\",\"caption\":\"Alex Heshmaty\"},\"description\":\"Alex Heshmaty is technology editor for the Newsletter. He runs Legal Words, a legal copywriting agency based in the Silicon Gorge. Email alex@legalwords.co.uk.\",\"sameAs\":[\"http:\/\/www.legalwords.co.uk\"],\"url\":\"https:\/\/www.infolaw.co.uk\/newsletter\/author\/alexheshmaty\/\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"First GDPR level fines in the UK - Internet for Lawyers Newsletter","description":"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/","og_locale":"en_GB","og_type":"article","og_title":"First GDPR level fines in the UK - Internet for Lawyers Newsletter","og_description":"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in","og_url":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/","og_site_name":"Internet for Lawyers Newsletter","article_published_time":"2019-09-13T08:38:15+00:00","article_modified_time":"2021-01-09T15:30:49+00:00","og_image":[{"width":640,"height":400,"url":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg","type":"image\/jpeg"}],"author":"Alex Heshmaty","twitter_card":"summary_large_image","twitter_creator":"@nickholmes","twitter_site":"@nickholmes","twitter_misc":{"Written by":"Alex Heshmaty","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/","url":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/","name":"First GDPR level fines in the UK - Internet for Lawyers Newsletter","isPartOf":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage"},"image":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg","datePublished":"2019-09-13T08:38:15+00:00","dateModified":"2021-01-09T15:30:49+00:00","author":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/daff2a47987956c44c74c8e136c0ffde"},"description":"One of the key changes brought about by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018, was a substantial increase in","breadcrumb":{"@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#primaryimage","url":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg","contentUrl":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2019\/09\/GDPR-by-Descrier.jpg","width":640,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/2019\/09\/first-gdpr-level-fines-uk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infolaw.co.uk\/newsletter\/"},{"@type":"ListItem","position":2,"name":"First GDPR level fines in the UK"}]},{"@type":"WebSite","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#website","url":"https:\/\/www.infolaw.co.uk\/newsletter\/","name":"Internet for Lawyers Newsletter","description":"Edited by Nick Holmes","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infolaw.co.uk\/newsletter\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/daff2a47987956c44c74c8e136c0ffde","name":"Alex Heshmaty","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.infolaw.co.uk\/newsletter\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/dd8296d053e8fde73684687cf6357300702da710fec385800bf0bf74f12a5916?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dd8296d053e8fde73684687cf6357300702da710fec385800bf0bf74f12a5916?s=96&d=mm&r=g","caption":"Alex Heshmaty"},"description":"Alex Heshmaty is technology editor for the Newsletter. He runs Legal Words, a legal copywriting agency based in the Silicon Gorge. Email alex@legalwords.co.uk.","sameAs":["http:\/\/www.legalwords.co.uk"],"url":"https:\/\/www.infolaw.co.uk\/newsletter\/author\/alexheshmaty\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/comments?post=5063"}],"version-history":[{"count":4,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5063\/revisions"}],"predecessor-version":[{"id":5735,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/posts\/5063\/revisions\/5735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/media\/5065"}],"wp:attachment":[{"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/media?parent=5063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/categories?post=5063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infolaw.co.uk\/newsletter\/wp-json\/wp\/v2\/tags?post=5063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}