Anyone under the impression that GDPR enforcement would be eased into the market got a huge wake-up call this week. A $230M sized wake-up call. British Airways was fined by the UK privacy watchdog the Information Commissioner’s Office (ICO) as punishment for the data breach that the company experienced last year. And GDPR played centre stage in the level of punishment.
In September 2018 British airways notified the ICO, as they are obliged to under GDPR, of a data breach that resulted in the theft of sensitive information, including credit card details, of approximately 500,000 individuals. The new powers granted to regulatory bodies such as the ICO by the introduction of GDPR were considered a possible game changer if they were enforced as per the letter of the law. The size of the fine and the accompanying comments by the ICO show that the regulators truly have a very big stick to use.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Information Commissioner Elizabeth Denham
GDPR Shows its Teeth
GDPR allows companies to be fined up to 4% of annual turnover for a serious breach of the regulations. Although large, the British Airways fine only represents 1.5% of their annual turnover for the period in question. Not surprisingly British Airways are feeling a little put out by the size of the fine and will likely appeal. The company complied with the GDPR notification requirements to the relevant national body, the ICO, and cooperated with the investigation process. Their statement implies that this should have meant a lesser penalty. However, it’s possible that they have received a lesser fine in the shape of only 1.5% of turnover compared to what could have been applied had they not been so forthcoming.
The action taken by the ICO appears to be a watershed moment that everyone should take note of. There have been other fines levied by the ICO, including a fine on Facebook for the Cambridge Analytica scandal in the amount of about $640M for the mishandling of millions of users personal data. In the ruling the ICO noted that the size of that fine was the maximum that could be handed out under the regulations that were in place at the time of the incident. Had it occurred within the GDPR timeline the fine could have been in excess of $1.5B.
GDPR Lessons Learned from the BA Breach
There are a few takeaways that every organization should note from the events of this week:
- If you only paid lip service to GDPR preparation, then think again. If the UK is setting the benchmark for the fines, then the days of token gesture fines or a “slap on the wrist” are long gone. Google and Facebook should take note as both are currently under investigation by EU authorities.
- British Airways is an EU based company but GDPR has a global reach. The BA fine was not the only one handed out by the ICO for a GDPR violation. Marriott were also slapped with a $123M fine for their data breach last year.
- Third, and most importantly, ALL companies need to ensure that all their sensitive information is appropriately protected in the digital age. And not just data that is covered by GDPR or similar privacy regulations. Customer data, financial data, employee data, intellectual property, even something as simple as an upcoming press release can seriously negatively impact the reputation and bottom line of an organization if it is leaked.
Read our 5 Tips for Balancing Security and Collaboration Needs to ensure you stay out of the GDPR cross hairs by keeping your sensitive information secure.