• Insights

UK – The GDPR one year on

United Kingdom
Written by
Lewis Silkin, widely recognised as the UK’s leading specialist employment law practice.
The UK Information Commissioner’s Office has recently announced its intention to impose significant fines for data protection breaches on British Airways and Marriott International. This article provides details of these and other developments since the entry into force of the GDPR in May 2018. 

Under the GDPR, maximum fines for breach were increased to EUR 20 million or 4% of an undertaking’s annual global turnover. The UK’s Information Commissioner’s Office (ICO) has recently announced an intention to impose fines:

  • of EUR 204 million on British Airways (alleged infringements affecting some 500,000 customers); and
  • of EUR 110 million on Marriott International (alleged infringements affecting 339m customers globally and 30m within 31 states in the European Economic Area).


Before making a decision, the Commissioner will consider representations both by the companies concerned and by other data protection authorities within EU member states.

The Commissioner is putting down a firm marker that breaches of the GDPR will be taken seriously with potentially serious financial consequences.  She said:

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

These are both rather dramatic exercises of the new GDPR powers.  The ICO does not normally make statements about ‘intentions to fine’ as opposed to decisions.  These proposals emerged because BA and Marriott themselves made announcements to respectively the London Stock Exchange and US Securities and Exchange Commission.  There may be quite a number of other ‘intentions to fine’ in the pipeline that are not currently public, either because the proposed fines are not market sensitive or because the organisations concerned are not listed.

In April 2019, the Home Office accidentally shared the email addresses of hundreds of EU citizens applying to stay in the UK after Brexit. The ICO were alerted to this incident and have said they will make an assessment, but no decision has yet been released.

Although no fines have yet been issued under the GDPR, the ICO have issued ten enforcement notices under the DPA 2018 and GDPR.

On 23 May 2018 the Data Protection Act 2018 became UK law, implementing the EU’s General Data Protection Regulation (GDPR). Some UK specific rules have been adopted, for example the ability for UK companies to process diversity data for the purposes of diversity monitoring without the consent of the data subject, and the criminal offence of deliberately failing to provide data to a data subject who has submitted a data subject access request.

The GDPR will be enacted in UK law after Brexit under s3 of the European Union (Withdrawal) Act 2018.

Similar to other European countries, the UK has seen a rise in the number of data subject access requests submitted to data controllers, and also the number of data breaches reported to the ICO. The most commonly reported breach is a misaddressed email, rather than those breaches people typically imagine, for example systems being hacked.

Also, it is now customary to receive a data subject access request in conjunction with a grievance and a tribunal claim. Data subject access requests are used a tool for disclosure, but also as a tool to attempt to leverage more favourable terms from employers.