In the past couple of weeks, the Information Commissioner’s Office (ICO) has announced two high profile colossal fines for British Airways and Marriott Group under the tough new General Data Protection Regulation (GDPR). A warning sign we would urge AIA members to take on board.

GDPR was introduced into the UK on May 25, 2018 in order to modernise and harmonise data privacy laws across Europe, which protect the personal information of individuals. It was widely regarded as the biggest shake-up to data privacy for 20 years with all individuals, organisations and companies that are either controllers or processors of personal data are covered by the GDPR.


However, over a year down the line and recent research by RSM suggests that circa 30% of European businesses are still not fully GDPR compliant. Perhaps one reason why the ICO is now taking assertive action on breaches and wielding its considerable powers.

The research suggests a variety of reasons for non-compliance, which is no surprise given the complexities surrounding the new GDPR. One suggestion was organisational understanding and fatigue due to the overwhelming amount of (sometimes conflicting) information in the public arena, which led to organisations simply giving up and reverting to their old methods of data privacy.

Another factor to consider is technology. GDPR compliance is not simply an exercise in updating policies and procedures and implanting additional training. It is essential that robust protocols are in operation to safeguard data leakage and unauthorised access of personal data. A fact borne out with the recently publicised fines for British Airways and Marriott Group.

Colossal Fines

British Airways became the first high profile organisation to be issued with a penalty under the new rules earlier this month when they were fined £183m (equivalent to 1.5% of its worldwide turnover for 2017) after the personal details of more than 500,000 customers were stolen from its website and app.

The incident began on 21 August when hackers launched a cyber-attack against the airline, however airline staff only notified the relevant authorities of the incident 16 days later.

In the second-high profile case Marriott Group face a fine of over £99m after it left the personal information of up to half a billion guests exposed to hackers.

Information commissioner Elizabeth Denham told Sky News: “People’s personal data is just that – personal.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Accountants Take Note

If you are in the 30% bracket take note, as the warning signs couldn’t be any clearer. Remember GDPR affects every department that uses an individual's data, whether it's to send marketing communications or to manage customers' payments.

If you work in practice you will keep client records; if you work in business, you will manage customer records. So, passing the proverbial buck simply will not work.

Moving Forward

The AIA message to members is clear, if you are not 100% GDPR compliant, make achieving this target one of your top priorities.

In order to achieve this AIA has formed a strategic partnership with industry leading GDPR specialists, The Data Support Agency. The collaboration provides AIA members with a cost effective, solutions driven approach for the implementation and maintenance of best practice around their own data compliance, which in turn will ensure their clients can be assured that their own data is being well maintained.

Commenting on the collaboration, Sharon Gorman, Director of Development at the AIA said: “As a regulated profession with codes of ethics AIA firmly back the ICO’s expectation that accountants adopt higher standards than the general public, so we are committed to providing our members with cost-effective solutions in order to achieve this goal.

“We have no doubt that the GDPR compliance offering provided by The Data Support Agency will be a significant aid to many of our members.”

Positive Impact

The introduction of GDPR last year has and continues to have undoubtedly proved a challenge for many organisations. However, it has also provided unbridled opportunities for organisations to implement revised best practice, review often outdated policies and procedures and critically analyse cyber security protocols.

GDPR has already had a positive impact on cyber security within the EU, and this will only improve as compliance rises.

For further information visit: