Is now the time for brands to completely rethink their approach to first party data?

When GDPR first came into enforcement the unofficial message from the ICO seemed to be show a positive intent to comply and there would be some sympathy. This message was reinforced, to business at least, with modest fines issued to Equifax and Uber.  In total those breaches exposed 20 million UK citizens and totaled £1.3M in fines. However, last week the ICO issued fines to BA and Marriott total £300m for failing to project 500k customers data. It’s fair to say the message has changed.

The ICO statement is even more powerful when you look into BA and Marriott’s cases. Just like Uber and Equifax, BA and Marriott exposed personal data as a result of cyber-attacks. Both followed the ICO guidelines with regards to notifying customers and the ICO within 72 hours.  But, unlike Equifax and Uber there was very little sympathy from the ICO.

BA was hacked by group called Magecart who also hacked Ticketmaster UK and several other websites in 2018. BA took steps to notify their customers with 72 hours as required by law, offering customers a two years subscription to myID, an Experian service to protect from online fraud. And yet, the ICO still found that BA had ‘poor security arrangements’ that led to 500k customers’ passport and credit card details being accessed by criminals.

Marriott’s fine is even harsher in that the violation had nothing to do with Marriott rather a company Marriott acquired in September 2016 – Starwood Hotels and Resorts Worldwide – who were compromised as far back as 2014. When Marriott learnt of the issue in November 2018, they notified the ICO as required. The ICO investigation found that Marriott had not undertaken adequate due diligence when it bought Starwood, raising the question – did the M&A folks in the US where both Marriott and Starwood are based, even know to look for this?

Another debate to be had is what exactly the ICO deem to be “substandard security” when processing and storing personal data? While the ICO has not issued a full report yet, following on from this hike in fines, there will be an element of fear for anyone raising the phone to report a data breach. From an outside viewpoint, it does seem a little unfair that Uber and Equifax fines equate to £0.65 a person while for BA and Marriott its £600 a person given the both leaked similar datasets.

Parking these questions for now, we can safely say that the ICO has made it clear that in their view business is not showing clear intent to comply with GDPR and they are correct.  Like most regulations, rather than taking the view of understanding why the regulation exists, it seems that most businesses have fallen into the trap of viewing it as a check box exercise.

GDPR is there to ensure customers trust brands with their data and they will take every step in their power to prevent exposing them to fraud. There can be little doubt that lots of high profile brands have done a lot of damage to establishing and sustaining that trust and brands are running out of 2nd chances. The ICO’s step-up in stringency should serve to bring this into focus that if they don’t take this seriously they won’t get any customer information which will make the internet a difficult place to do business which is arguably even more damaging than a 9-figure penalty.

The regulation is incredibly important for building consumer trust in brands. Brands that do it well, will gain loyal followers. Those that don’t…

This shift in severity of fines encourages an important and more philosophical question for brands to answer – just because you can, should you? From a media perspective, first party data is considered the pinnacle but is it worth the risk?

At Hearts, we encourage our clients to think very carefully about the value and potential risks of holding first party data. Whilst it is a great asset if used and processed correctly, we don’t believe it is the be all and end all. These regulations will only get tighter and more heavily policed so clients shouldn’t be spending all of their energy on deterministic modelling. Instead the future is more sustainable approaches like real-time probabilistic measures. Something we currently do for a number of our clients.

The story for BA and Marriott is certainly not over with both companies mounting legal challenges to their fines. We suspect we will see a softening of the penalties over the coming months but the message is loud and clear from the ICO. First party data handling and breaches are serious, and the punishment will be hefty – and that’s before consumers have their say.

James Londal, Chief Data Officer, Hearts & Science UK