Regulator gets serious with record GDPR fines

01 August 2019

The UK data protection and privacy regulator intends to issue record fines for two separate data breaches, sending a strong signal that the EU’s data protection laws have real teeth.

On July 8, the Information Commissioner’s Office (ICO) announced its intention to fine a UK company £183 million for infringements of the General Data Protection Regulation (GDPR), following a 2018 data breach.

The next day, the ICO announced its intention to fine a US hospitality group £99 million for breaches of the GDPR related to a November 2018 cyber-attack.

Both companies now have an opportunity to appeal the decisions. Following representations by the companies, the regulator will finalise the penalties, which could be reduced if the appeals are successful.

Record Fines

The two ICO enforcement actions – which cover some of the largest and most high-profile data breaches to occur since the GDPR became effective – are widely regarded as test cases for the new regulation’s enforcement.

If upheld, the proposed fines would be the largest ever levied by the ICO, as well as the largest issued in Europe for a breach of the GDPR.

The largest fine under the GDPR prior to the ICO announcements was a €50 million fine against a technology company by the French regulator CNIL in January 2018, although the company said it intends to appeal the fine.

The two proposed fines also dwarf prior ICO enforcement actions under the UK’s former data protection law, the Data Protection Act 1998 (DPA).

Regulator gets serious with record GDPR finesThese included two separate enforcement actions of £500,000 in 2018, the maximum permitted under the DPA and the ICO’s highest ever fines.

In the first nine months that the GDPR was in effect, EU regulators brought more than 200,000 cases in 31 countries and issued nearly €56 million in fines, according to the European Data Protection Board (EDPB), which coordinates the EU’s data protection authorities.

Setting the Tone

Thousands of GDPR actions are currently pending, and organisations should expect EU regulators to continue to stringently pursue instances of non-compliance.

The ICO can impose even larger fines under the GDPR, as regulators can impose a maximum fine of up to 4% of a firms’ global annual turnover, or €20 million, whichever is highest.

However, maximum fines are intended for the most severe breaches of the GDPR, and mitigating factors would presumably be reflected in the penalty.

Insurability of Fines

The ICO has not yet published details of its investigations into the two breaches, nor explained the reasoning behind the enforcement actions and level of fines.

However, the enforcement actions highlight some interesting issues, including the insurability of fines under the GDPR, which varies by location.

Fines and penalties under data protection laws, including the GDPR, may be covered by cyber insurance, where insurable by law.

However, coverage will depend on the nature of the fine or penalty (whether it is civil or criminal and how egregious the non-compliance), as well as the specifics of insurance contracts, and court decisions in relevant jurisdictions.

Cybe Decoder Survey banner

Further clarification on the issue is expected, once the first cases are submitted as claims to insurers and/or go to court.

In the meantime, organisations should work with their advisors to understand how their policies might respond and, where possible, seek to add policy wording that provides the best chance of recovery in the event of GDPR non-compliance.

Extra-Territorial Scope

The ICO enforcement actions also highlight the extra-territorial reach of the GDPR. The rules protect the personal data of EU citizens and can be applied to companies holding or processing their data, even when located outside the EU.

In both data breaches, the ICO investigated the incidents as the lead supervisory authority on behalf of other EU member states’ data protection authorities.

It also liaised with other regulators. Under the GDPR “one-stop shop” provisions, data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

Commenting on the proposed fine, UK Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.

This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess, not only what personal data has been acquired, but also how it is protected.”

Unprecedented Year

The ICO announced the proposed record GDPR fines following what it described as an “unprecedented” year for the regulator. In its recently published annual report, the ICO recorded a 66% increase in data protection enquiries to 471,224, while data protection complaints received by the ICO doubled to 41,661 in 2018/19.

The period was also a record-breaking year of monetary penalties under the DPA, with 22 fines issued and fines totalling £3 million, including two fines of £500,000, the maximum allowed.

Enforcement actions in Europe have also gathered momentum since the GDPR came into force on May 25, 2018.

During the year, the ICO received 13,840 reports of personal data breaches, a big jump from the 3,311 reported personal data breaches in the pre-GDPR 2017/18 period, and the 2,565 breaches notified in 2016/17.

The ICO welcomed the increase in breach reporting (mandatory under the GDPR), saying it demonstrates that organisations are taking the GDPR requirements seriously.

Notifications were highest among general business (18%), health care (16%), education (13%), and financial services (11%).

As a competent regulator for the EU’s Network and Information Systems (NIS) Regulations in May 2018, the ICO revealed the number of cyber incident referrals it received within its annual report.

During 2018-19, the ICO received around 2,500 cyber security incident referrals, of which 44% were phishing attacks and 29% were attributed to unauthorised access.

These figures further indicate the impact of the GDPR and the prevalence of phishing attacks.




  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article

  • Get everything you need, delivered straight to your inbox.

    Sign up to receive our latest news and insights here.


Services provided in the United Kingdom by Marsh JLT Specialty, a trading name of Marsh Ltd and JLT Specialty Limited (together “MMC”). Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). JLT Specialty Ltd is a Lloyd’s Broker, authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 310428).

This is not legal advice and is intended only to highlight general issues relating to its subject matter. Whilst every effort has been made to ensure the accuracy of the content of this document, no MMC entity accepts any responsibility for any error, or omission or deficiency. The information contained within this document may not be reproduced. If you are interested in utilising the services of MMC you may be required by/under your local regulatory regime to utilise the services of a local insurance intermediary in your territory to export insurance and (re)insurance to us unless you have an exemption and should take advice in this regard.