2018 British Airways Data Breach: Fines Reach New Heights

British Airways data breach – GDPR fines may reach new heights

Information Commissioner’s Office (ICO) announces its intention to fine British Airways for a data breach under GDPR

The ICO have just published its Notice of Intent to fine British Airways £183.39 million for infringements of the security principle of GDPR. The breach was disclosed by the airline back in September 2018.

While the ICO has merely published its intention and no actual fine has been imposed, the fact that the ICO has published a Notice of Intent suggests that it has enough evidence of the breach to keep British Airways on the hook.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, as well as the name and address of customers.

Key takeaways based on what we know so far:

Organisations should take appropriate measures to ensure GDPR compliance. There is no one-size-fits-all solution.
The regulatory process takes time. It has taken nearly 10 months for the ICO to publish its Notice of Intent.
Co-operation helps. The ICO said that British Airways has cooperated with its investigation and has already made security improvements following the breach. Under GDPR, the ICO can fine organisations up to 4% of their annual global revenue. Based on the Notice of Intent, the suggested fine would only be 1.5% of British Airway’s global turnover in 2017.

In other events this week, King’s College London have notified the ICO that it has breached GDPR by unlawfully sharing sensitive personal data about politically active students and staff with the Metropolitan Police. This was detected following a review carried out by an independent higher education consultant who found that none of these individuals had been a part of a disciplinary process or found guilty of violating the policy or regulations of King’s College London. The university is now working on a plan to implement the review’s recommendations.

VinciWorks’ job-specific GDPR refresher training

Compliance with the General Data Protection Regulation (GDPR) is an ongoing process. Best practice for compliance training is to enrol staff in a new GDPR course around once a year, rather than simply asking them to take the same course. Fully interactive, VinciWorks’ new customisable GDPR refresher course combines short bursts of learning with practical scenarios and real-life examples to ensure all staff know how to safely and securely work with data. Staff in roles that require advanced training, such as HR, IT and marketing, can choose to take job-specific modules.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”