So, those of us who warned how profoundly dangerous a GDPR fine could be for businesses two years ago weren’t wrong – we were among the very first to recognise the implications and it’s now clear that the game has changed and if either your GDPR compliance, or cybersecurity, are compromised it can bankrupt your business. The first major GDPR fine – £183 Million – yes you read that right – is now public. Contact [email protected] for quick, comprehensive guidance.
I’m not going to go into detail about our long track record of anticipating this kind of seismic change once GDPR and its fines came into force, and solving these challenges quickly within major businesses and SMEs. Just scroll back on our news feeds on this website, Twitter and my LinkedIn to see how long we’ve been warning about this and how much we have been doing to help businesses and organisations adapt quickly to this. If you still haven’t, maybe now is the time to get in touch: we can still conduct you a GDPR Gap Analysis within 3 days for £950+VAT. But enough of the sales pitch – this fine needs deeper analysis, and the ICO’s announcement of it is brief (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/).
First of all, let’s consider the story itself. Here’s the BBC’s take on it (which was made top story on the BBC homepage today). We share Rory Cellan-Jones’ view, as quoted below: https://www.bbc.co.uk/news/business-48905907
I imagine that many people’s first reaction to the £183m fine that the Information Commissioner plans to levy on British Airways will have mirrored mine – surely the decimal point must be in the wrong place?
After all the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.
The difference, of course, is that the law has changed between the two incidents, with the arrival of a new law mirroring Europe’s GDPR. This allows fines of up to 4% of annual turnover.
Now you might have expected the data regulator to be somewhat cautious at first in wielding this powerful new weapon but today’s news will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation.
The message is clear – if you don’t treat your customers’ data with the utmost care expect severe punishment when things go wrong.
British Airways certainly appears to be stunned. But then again it could have been worse: the full 4% of turnover would have meant a fine approaching £500m.
So, why the huge fine? Well, several elements combined here to make this leap of 367% on the previous highest amount, under the first major GDPR fine.
- People’s financial data is classified as ‘sensitive data’ under GDPR, as it can be used against them. Loss of bank account information also puts their ‘rights and freedoms’ at risk under GDPR definitions, because it puts them at high risk of being defrauded or stolen from. And 500,000 customers and 380,000 transactions were potentially compromised here, by being routed through a fraudulent website. It could have been worse though – passport and travel information was apparently unaffected.
- Nonetheless, the hack that was causing these issues was (presumably) not detected or addressed for some time. A hack that is identified and resolved very quickly, might not result in such high fines.
- The hack may have taken place due to a third-party service which handles users’ online transactions with BA (analysis here: https://www.bbc.co.uk/news/technology-45446529). As ever more companies make ever more use of website services provided by third parties (to handle online transactions, for example), the risks and challenges of maintaining security are getting even harder. This also raises issues of responsibility when third-party platforms are in use. The ICO is clearly in no doubt here that BA itself should be held responsible, rather than any third party. But looking more widely, should companies update their third-party contracts to hold providers responsible for more of the risks and liabilities created by their platforms when embedded or integrated with the company’s own website and systems? How can those providers themselves manage the risks of being so widely used on such a wide range of websites and hosting platforms by their clients? Will companies try to pass the buck sometimes for their own cybersecurity issues by trying to hold their third party services responsible?
- The size of BA’s business enables a very high GDPR fine to be applied – the maximum possible would have been £500m, so the ICO have still left themselves scope to levy bigger rates against companies: yet £183m is still only about two-fifths of the worst-case-scenario they could have levied here. So, big and bad as this fine might look… the ICO themselves still think that breaches and the fines applied can be more than double as bad as this!
So in hindsight – Facebook is pretty lucky that the Cambridge Analytica scandal broke before GDPR fines applied. Because a GDPR fine at the maximum level for that would have been a staggering amount of money. They got off light, on just £500,000, the maximum possible at the time.
As we’ve said all along, every company and organisation needs good advice about GDPR and GDPR fines – and we’re still finding that lots of companies who think they’re compliant are a long way from fully managing the needs of this regulation. Our Gap Analysis can be completed in person within 3 days for just £950+VAT, if you’re looking for an obvious way to find out where you stand, and we can provide any combination of Consultancy and Project Management to manage or check your compliance programme or cybersecurity programme from there. We can also take interim, part-time roles to be your Data Protection Officer, while delivering GDPR solutions for your business until you get into a position to self-manage these needs. Email [email protected] to get started.
Making a sensible, controlled investment in your GDPR compliance and information security is a short-term cost that can save your company vastly more money in the medium- to long-term. If you have to report a breach to the ICO yourself, you may have to explain for what preventive actions you had taken. Let us help you before it gets to that point.