GDPR enforcement – lessons to learn in 2019

28th November 2019

The year of enforcement

While 2018 was the year of GDPR implementation, 2019 is proving to be the year of enforcement.

In July, the UK’s information regulator, the Information Commissioner’s Office (ICO), exercised its considerable fining power under GDPR, issuing a notice to Marriott International, of a £99,200,396 fine. Supervisory authorities can issue penalties up to the higher of 4% of annual global turnover or €20m.

The ICO’s statement

The ICO’s statement on Marriott reveals that a vulnerability in the company’s systems led to a cyber incident which compromised 339m guest records. The underlying issue dated back to 2014 and affected a business – Starwood Hotels- which Marriott purchased in 2016.


Contact our GDPR and Data Protection team now.


In the Marriott notification, the Information Commissioner said “GDPR makes clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition.” The announcement emphasised that, when buying another business, organisations need to put in place proper accountability measures to assess not only what personal data is acquired but how it is protected.

Two public bodies – HMRC and the Metropolitan Police – also came under ICO scrutiny this year.

The ICO issued an enforcement notice to HMRC relating to its Voice ID service for customer verification on its helplines. The ICO said HMRC’s use of voice data of around 7m customers was unlawful. The investigation concluded that customer consent was required for the processing but had not been validly given. This was of particular concern to the ICO as voice data is biometric data, a type of special category data which requires enhanced protection under GDPR.

The ICO criticised HMRC for failing to carry out a data protection impact assessment (DPIA) before launching the Voice ID service. DPIAs are required where processing is “likely to result in a high risk to the rights and freedoms of natural persons.”

The Met Police has been ordered to respond to its significant backlog of data subject access requests (DSARs) following an investigation by the ICO which revealed, in June this year, that over 1,000 DSARs had not been responded to within the one-month timeframe stipulated by GDPR. Failure to comply with the enforcement notice could result in a fine.

GDPR, data protection, 2019


The ICO has also issued its first penalties to businesses for failing to pay the data protection fee. GDPR says all organisations, companies and sole traders that process personal data must register with the ICO and in almost all cases will have to pay an annual fee, failing which they face a potential maximum fine of £4,350. Approximately 300 penalty notices have now been issued.

The regulator is also publicly naming companies that do not pay on time. This sends a message to customers and the wider public; if a company is failing to pay its data protection fee on time what else is it not getting right in relation to personal data it holds?

Protect your business

To summarise, here are some practical steps you can take to help you avoid being the next in line for enforcement action:

  • When buying a business, do proper personal data due diligence, do a data audit post-completion, make sure it is secure and stays secure.
  • When rolling out new systems or processes, make sure you do a DPIA to assess the impact on data privacy. Then make sure you act on it!
  • Keep looking at your processes – how are you dealing with data subject access requests, are they backing up? Do you need more resource or a more streamlined process?
  • Pay your data protection fees! Put a reminder in a central diary to stay up to date with renewals.

Related Blogs

View All