Fines fly following British Airways data breach

The headlines that British Airways is facing a fine of £183.39M after infringements of personal data of some 500,000 customers was collected by hackers shows the tough stance of the UK’s data regulator following the introduction of EU data protection laws last year.

The General Data Protection Regulation (GDPR) has seen stricter operating boundaries for businesses processing personally identifiable information about individuals, and it also introduced extended powers for data regulators, which is the Information Commissioner’s Office (ICO) in the UK.

Under the previous data protection laws, the maximum penalty for data breach was £500,000, but following the introduction of GDPR in May 2018, fines of up to €20m, or 4% of total worldwide turnover, can be imposed on businesses.

For British Airways, unsuspecting customers were diverted from the real BA website to a fraudulent site, but even though the breach was not on their website, the investigation by the ICO found poor security arrangements by BA had compromised customer data, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

“It’s up to British Airways to make representations to the regulator over the findings to see if they can demonstrate why the proposed fine should be reduced,” explained GDPR legal expert Jane Crosby of Hart Brown LLP in Guildford “but this is a clear indication that the regulator is not going to pull any punches over data breaches under the new laws.”

The aim of GDPR was to harmonise data protection across all EU member states, meaning that any UK business trading with EU citizens must comply, both now and after Brexit.  It introduced a statutory obligation to notify the regulator of any breach which placed an individual’s personally identifiable information at risk and the ICO has recorded more than 40,000 data protection complaints since the launch of GDPR, with 14,000 personal data breaches reported.

So what do we do now? GDPR checklist

  • Carry out a data audit and data register

Look at what data you collect and how this is dealt within the organisation.  Ensure that you review your policies and they are relevant to your organisation.   Make sure you understand the circumstances in which you are required to conduct Data Protection Impact Assessments.  These are key to the GDPR philosophy of designing systems with privacy at their heart and should be undertaken whenever data processing could result in a high risk to individual rights and freedoms.

  • GDPR training

Ensure staff have adequate and up to date training on data protection. Regular enactments of mock data breaches can help keep GDPR at the forefront for staff, as well as identifying where changes may be needed.  Whenever policies need to be updated, make sure refresher training is conducted with relevant staff, and with detailed development training for any staff who are frontline on data management.  Should your business be affected the ICO will be looking for whether any adequate training has been carried out.

  • Reporting to the ICO

Employees should be encouraged to recognise and report data incidents, so make sure you have the right culture that encourages open reporting.  Make sure you have a register setting out the breaches.  The ICO wants to see that you have a good system in place for prompt identification and reporting, as the longer it takes to identify a possible data breach.

  • Transfer out of the EU

If you transfer personal data through third parties, such as suppliers, or transfer it outside the EU for any reason, it’s important that all related contracts and processes comply with GDPR requirements.

This is not legal advice; it is intended to provide information of general interest about current legal issues.

Share

Jane Crosby

Partner, Dispute Resolution

Jane is an employment and commercial litigation solicitor of more than 15 years' experience. Prior to entering the legal profession, Jane was employed in the...

Partner, Dispute Resolution

Jane Crosby

Jane is an employment and commercial litigation solicitor of more than 15 years' experience.

Prior to entering the legal profession, Jane was employed in the aviation industry. This experience is appreciated by many of Jane's clients who note that she is able to take a commercial and pragmatic approach to any legal issue that they face.

Jane acts for a wide range of individuals and businesses and her areas of specialism include aviation, property related industries and IT. Jane regularly advises on aspects of employment law, such as settlement agreements, employment contracts, policies and procedures, redundancies, equal pay, data protection, issues arising from TUPE and reorganisations, the calculation of holiday pay, bonus and commission payments, disciplinary and grievance issues, dismissal and termination issues, the protection of confidential information and the enforcement of restrictive covenants. Jane gets involved in GDPR training for her clients and she is able to deliver tailored employment law training sessions upon request.

As a commercial litigation lawyer, Jane also deals in shareholder and directors disputes, commercial contract disputes and the enforcement of restrictive covenants.

Jane has been involved in successful high value commercial litigation for clients in the High Courts, she is an accredited mediator and she is a member of the Employment Lawyers Association.

Jane is often asked to write for a number of well known publications, including The Daily Mail, The Telegraph and The Week and she has been interviewed on BBC Radio 4.

Here is small selection of the feedback that Jane has received:

“Jane, I cannot sincerely thank you enough for your wise counsel and am delighted to have made your acquaintance. If I am blessed with a new position somewhere I will hand over my contract in the first instance to you. Likewise, any of my friends, peers, romans and countrymen wanting advice, I will point them in your direction.”

“Jane, you have been most resilient on my behalf for which I sincerely thank you for all your endeavours. I have a tremendous working relationship with Hart Brown and you have undoubtedly compounded this further."

“I appreciated the clarity of advice given at a stressful time”.

“A sensitive and highly professional approach and efficient work in the interests of the client”.

“Your advice, conduct and assistance have been indeed outstanding and very professional but also – and most importantly – very humane”.

Head Office

Resolution House
Riverview
Walnut Tree Close
Guildford
Surrey
GU1 4UX

Your Local Office

Guildford - 01483 887766
Cobham - 01932 576789
Cranleigh - 01483 887515
Godalming - 01483 887766
Woking - 01483 887766

Hart Brown Solicitors is the trading name of Hart Brown LLP registered in England and Wales No. OC 425835 whose registered office is Resolution House, Riverview, Walnut Tree Close, Guildford, GU1 4UX and is authorised and regulated by the Solicitors Regulation Authority (SRA) No. 658593. Members: N Maud, T Pearce, D Knapp, R Campbell and P Grimwood, Partners: J Crosby, L Harrhy, J Jupp, J Lamont, T Mandelli, V McMurtrie, E Moore, S Osborne, S Powell and G Sanders.

Any reference to a partner in relation to Hart Brown LLP means a member or an employee with the title of Partner of Hart Brown LLP.

© Copyright Hart Brown LLP 2019 - All Rights Reserved. VAT registration no. 211372705