Businesses are reminded to ensure their systems and processes are as secure as possible following the Information Commissioner's latest fines against two organisations for data breaches.
In October, British Airways was fined £20 million for processing personal data without adequate security measures in place and leaving the personal data of more than 400,000 of its customers vulnerable to a cyber-attack in 2018, which went undetected for two months. Similarly, Marriott International Inc was also fined £18.4 million for processing personal data without adequate security measures in place, after 339 million guest records worldwide were exposed to a 2014 cyber-attack on Starwood Hotels and Resorts Worldwide Inc's reservation database.
Article 5 of the GDPR contains the principle of "integrity and confidentiality", also referred to as the security principle. This requires that personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and also against accidental loss, destruction or damage and using appropriate technical or organisational measures. In addition, the accountability principle in Article 5 requires controllers to be able to demonstrate compliance with the principles.
Organisations which fail to observe these rules can face heavy fines and reputational damage.