SaaS Agreements – GDPR – Personal Data Breaches and How to Avoid them

Recently there have been a number of high profile cases involving the UK’s data protection authority (the “ICO”), imposing very large fines on Marriott and British Airways for serious data breaches. SaaS customers and SaaS suppliers should be reviewing the appropriateness of their technical and organisational measures to avoid the risk of being fined up to 4% of global turnover for serious personal data breaches.


According to the ICO’s annual general report 2018 – 2019 published in July 2019, complaints from members of the public to the ICO have doubled in the last 12 months. The largest proportion of complaints relates to subject access requests, but this is followed by data breaches.

What is a Personal Data Breach

The GDPR defines a personal data breach as: “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Personal data means any information concerning or relating to an identified or identifiable individual. SaaS suppliers and SaaS customers should be aware that a personal data breach can cover a lot more than just ‘losing’ personal data. It also includes any breach of security that leads to accidental or unlawful destruction, alteration or disclosure of personal data. For example, resulting from accidents (such as sending an email to the wrong recipient) as well as deliberate acts (such as phishing).

SasS customers and suppliers should be aware that a personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data. Accordingly, all personal data breaches are security incidents, but not all security incidents are necessarily personal data breaches.

Recent Personal Data Breaches

British Airways

On the 8th July 2019, the ICO announced its intention to fine British Airways £183m for personal data breaches relating to user traffic to the British Airways website being diverted to a fraudulent site where customer details could be harvested by attackers. The personal data breach involved around 500,000 customer’s data and included log in, payment card, and travel booking data, as well name and address data.


On the 9th July, the ICO announced its intention to fine Marriott International £99m for personal data breaches which began in 2014 and was only discovered in 2018. The personal data breach involved the personal data of around 339 million guest records worldwide (30 million related to EU residents, of which 7 million related to UK residents).

ICO Actions:

One Stop Shop

Under the ‘one stop shop’ provisions of the GDPR, Marriott and British Airways are being investigated by the ICO – who is the lead supervisory authority. The lead supervisory authority investigates the breach on behalf of all data protection supervisory authorities in the EU whose residents have been affected by the breach. Each national data protection supervisory authority in the EU will have the chance to comment on the ICO’s findings.


In the above 2 cases no fines have yet been imposed by the ICO. The ICO has at this stage, notified both British Airways and Marriott of its intention to fine them. Each company now has an opportunity to make representations to the ICO in relation to the proposed findings and sanctions.

In determining the proposed level of the fine the ICO commented that both companies had co-operated with the ICO investigation and had made improvements to their security arrangements since these events came to light.

The ICO will now need to consider the representations of Marriott and British Airways and the other concerned national EU supervisory authorities before it make a final decision on the level of each fine and any other sanctions.

Preventing a Data Breach

In light of the above, SaaS suppliers and SaaS should ensure that they have in place appropriate technical and organisational measures to keep personal data safe. The measures taken should be appropriate to the risk the processing represents.

The following security measures should always be taken:

  • Having firewalls, anti-virus applications and malware protection to protect hardware, devices and networks in place;
  • Using up to date software and operating systems;
  • Installing patches and updates without delay.

The following internal organisational measures should as a minimum be implemented:

  • Having a security policy;
  • Having a data protection policy;
  • Having a business continuity plan/disaster recovery plan.
  • Training staff on data protection issues;
  • Carrying out regular risk assessments of staff, systems and suppliers.


Since the GDPR came into force on the 25th of May 2018 the potential fines that the ICO can impose on a SaaS supplier and/or SaaS customer for a personal data breach can be very large, as shown by the recent fines proposed for Barclays and Marriott. Whether you are a SaaS supplier or SaaS customer you should ensure that you are taking appropriate actions to minimise the risks of a personal data breach as this could in the long run have a serious knock on effect on the level of any subsequent fine proposed by the ICO.


Irene Bodle is an IT lawyer specialising in SaaS agreements and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – Brexit – Preparing for a No Deal Brexit

SaaS Agreements – Brexit – EU data Transfers to the UK after Brexit

SaaS Agreements – Brexit – Amendments to SaaS Terms and Conditions

SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR

SaaS Agreements – GDPR – The General Data Protection Regulation

SaaS Agreements – FAQs – Personal Data

SaaS Agreements – FAQs – Data Processor