Until July 8 & 9, 2019, the median GDPR fine was €5,000. On those two days, two fines in the hundreds of millions of euros were announced for GDPR violations. In this article, we’ll talk about what this change in enforcement posture means for your organization. 


In the fall of 2018, British Airways and Marriott International, Inc. notified the public that they had experienced data breaches involving sensitive customer data. At British Airways, an injection vulnerability was exploited in Sep. 2018 by hackers who scraped 500,000 individuals’ credit card and other personal information. And in 2016, Marriott acquired Starwood Hotels, but unbeknownst to Marriott or Starwood, Starwood had been experiencing an undetected security breach since 2014. This breach, finally uncovered in Sep. 2018, exposed the personal details of over 300 million individuals, including over 5 million unencrypted passport numbers

On July 8 and 9, 2019, the UK’s GDPR enforcement agency (the ICO) announced that they intend to fine¹ British Airways and Marriott £183.39 million ($204 million) and £99 million ($110 million) fines, respectively, for these breaches².


When announcing the two intended fines, the UK’s ICO Commissioner, Elizabeth Denham, stated that: 

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” 

This statement and the size of the fines make it clear that European officials intend to more strictly enforce GDPR going forward (keep in mind that fines can be up to €20 million or 4 percent of annual, global revenue, whichever is greater). To protect your organization from potential material fines, it can take the following steps to ensure it’s GDPR compliant:

  • If you haven’t already, determine how GDPR applies to your organization

You’ll need to assemble the appropriate parties (e.g., legal counsel, information security, etc.) to determine how it applies to your organization. In short, though, if your organization targets or has data on individuals in Europe (regardless of their citizenship), your organization is required to comply with GDPR and protect that personal data. 

  • Establish a mature security program

Article 32 requires organizations to implement information security measures that are commensurate to the risk associated with the personal data that the organization processes, including: 

  • Pseudonymization (i.e., anonymization) and encryption of personal data
  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems/services
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

If your organization is looking for a place to start, there are many industry standards that can guide you in implementing a mature program. ISO 27001 and NIST’s security framework are two such standards. 

  • Sign data protection agreements with all of your vendors who will handle personal data originating from Europe

If you transfer personal data to any of your vendors, your organization needs to create and sign data protection agreements with them that contractually obligate them to fully comply with GDPR and only process the data per your organization’s instructions.

  • When making acquisitions, conduct a thorough security & privacy assessment of the organization you’re wanting to acquire 

As Marriott learned the hard way, your organization assumes full responsibility for any GDPR violations that the company you acquire may be committing. If a process is not already in place, be sure to conduct a thorough security & privacy assessment when acquiring companies. 

  • Be aware that other GDPR-like privacy regulations exist, and more are coming

Many countries around the world are actively adopting privacy regulations similar to GDPR, and it’s likely that the United States will enact its own federal privacy regulation in the coming years. California has already passed the California Consumer Privacy Act, which in a simplified way, is a less-strict version of GDPR. Additionally, the European Union has stated that any country wanting to sign a trade deal with the bloc will be required to comply with GDPR as a part of the agreement.

To ensure you’re complying with all of these regulations, consult with your organization’s legal counsel to obtain a full list of which regulations apply to your organization. 


In addition to news announcements, http://www.enforcementtracker.com/ maintains a list of all GDPR fines. 

¹As we discussed in-depth in our previous article, The UK’s ICO first announces fines, gives the fined organizations time to respond, and then issues a final fine.

²The differences in breach amounts were likely due to the number of individuals residing in Europe for each breach.