It has been reported that the Information Commissioner's Office (ICO) has once again deferred massive GDPR fines issued to British Airways and Marriott International nine months ago. The fines, relating to data breaches that occurred during 2018, are not insignificant in nature: £183 million for British Airways and £99 million for Marriott International.
Given that the ICO has a six-month period following a statement of intent to actually issue the penalty notice to demand payment, and there has already been a three-month deferment in January, this might seem like odd behaviour.
However, investigations by the ICO are still ongoing and the current Covid-19 pandemic has certainly added fuel to the regulatory process. Not least when it comes to the ability to pay, allowing for the fact that the air travel and hospitality sectors have been particularly hard-hit by global lockdowns.
Could these extensions, while perfectly understandable in the current unprecedented times we all find ourselves in, have a broader long term impact when it comes to GDPR enforcement generally?
"I think that ICO is taking exactly the right and most fair approach right now," said Samantha Humphries, security strategist at Exabeam. "Extending the deadline does not excuse or negate the need for organisations to have good security and privacy practices long term, nor will it prevent the ICO from holding those who exhibit bad practices accountable for their actions," told SC Media UK.
"The perceived risk of fines for businesses which are non-compliant with GDPR or who suffer a data breach is certainly going to diminish for a while,” said Danny Reeves, CEO at Exonar.
“The government will simply not wish to apply further financial penalties on businesses already dealing with the hit from the Coronavirus crisis on the economy and the ‘ability to pay’ response will be more prominent," " Reeves told SC Media UK.
"We are bound to see many appeals for extensions primarily due to the financial impact of COVID-19." Safi Raza, director of cyber-security at Fusion Risk Management, told SC Media UK. He raised the concern that any "absence of actions" may lessen the effectiveness of the ICO.
"Flexibility is being found across the board in governments globally to ensure our economies survive this turbulent period, be it business rates, tax or in this case regulatory actions," said James Chappell, chief innovation officer at Digital Shadows.
Whether such flexibility sets a precedent remains to be seen, but Chappell said he wouldn't reasonably expect the size of the fine to change in these specific cases, but potentially the payment terms for that fine certainly could.
The postponements do not defer the requirement for companies to ensure that information is stored and processed using the safeguards and controls that are appropriate for the sensitivity of the data, said Chris Hodson, CISO at Tanium.
Exabeam’s Humphries noted that while it's easy to focus on fines, it is just one of the many options available to supervisory authorities. “They can also issue warnings and reprimands, impose a temporary or permanent ban on data processing, order the rectification, restriction or erasure of data, and suspend data transfers to third countries," she said.
In the majority of cases, it's these other options that are used. "The best deterrent isn’t the fines for most businesses anyway," said Nicky Whiting, Head of Compliance at Bulletproof. "It’s the reputational damage of having a data breach."
So, will these extensions likely have any real impact on the future of data protection, data security and data governance, especially as we emerge from COVID-19 lockdown into what is likely to be a prolonged recession?
"Keeping customer data safe and investing in data governance won’t go away during this crisis and any associated recession," said Exonar’s Reeves. "Prioritising data security will remain firmly on the agenda, but we do think we’ll see businesses seeking to understand their data better – knowing what they’ve got and where it’s stored in order to find the asset value will help to rebuild and define competitive advantage in extremely tough trading conditions."
“The news of ICO imposing fines forced organisations to evaluate their privacy practices and plan adequate changes. The delays, postponement, or reduction of fines will erase the need for the urgency,” Raza told SC Media UK.