07 September, 2018
Today's headlines are being dominated by the story that British Airways have suffered an illicit data breach that has left the personal details and payment cards of 380,000 customers potentially exposed. The theft occurred via the airline's website and mobile app.
It is hardly a surprise that many are already beginning to wonder if this breach will be the first high profile test case for GDPR and the new Data Protection regime. After a great deal of buzz and excitement in the build-up to its enforcement, there has yet to be a distinguishing example of a breach under the new 2018 Data Protection Act that has received attention in the mainstream media. The recent Facebook/Cambridge Analytica fine was imposed under the previous 1998 Data Protection Act.
Under the 2018 Act, the consequences for BA could be far more severe than those suffered by Facebook in the Cambridge Analytica scandal. Where Facebook received what was the then maximum fine of £500,000 for a misuse of data affecting 50 million users, the newer, tougher rules of the 2018 Act could see BA face a fine of £500 million for this breach affecting far fewer people. This amount, equal to 4% of BA's worldwide annual turnover, would be the maximum fine under the 2018 Act and, at literally 1000 times higher than that received by Facebook, is further clarity (as if any more were needed) of how seriously GDPR must be taken.
The most pertinent question for BA, and indeed anyone who suffers a reportable data breach in the future, at this time therefore has to be 'what steps can be taken to reduce the impact of enforcement once a breach happens?'.
First and foremost, the most effective way of cutting one's losses following a breach is to report it promptly and effectively to the ICO and communicate with any data subjects affected. Failure to notify a breach 'without undue delay' to either of these parties can result in an additional fine being given on top of the fine given for the original breach. These fines on their own are capable of amounting to 2% of annual turnover, or in BA's case an additional maximum of £250 million.
In terms of lowering the amount of the original fine, the GDPR sets out the principles determining the amount of any fine. Many of these are obvious, such as the principle that a breach of more sensitive data will lead to higher fines, or the principle that the level of fine will depend whether the breach was deliberate, negligent or the result of illicit activity from an outside source. Many of the principles, however, concern the steps taken by the data controller after it becomes aware of the breach, and from these we can see that BA, or any organisation suffering a data breach, do have some opportunity to soften the potential consequences felt by them.
The two most relevant principles to any organisation post-breach are that a calculation of a fine should take into account "any action taken by the controller to mitigate the damage suffered by data subjects" and "the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects".
Put simply, once a reportable breach has occurred it is in the data controller's best interest to make no attempt to hide the fact. Not only should the breach be reported to the ICO and those affected, but an organisation should take any other measure to reduce the effect of any breach. In practical terms, this could mean allocating resources to support those affected, taking time to regularly update users on progress and making the users part of the investigation process, providing access to legal services for those affected, and enlisting assistance of trusted third party services to both reduce the usability of the data breached and to ensure similar breaches cannot happen in the future.
From what has been reported, it would appear BA has been pro-following this breach in mitigating the potential damage to those affected. A press statement has already outlined that customers affected have been notified, with instructions given on how to approach their bank and reduce the effect of the stolen payment details. The breach has also already been investigated from a technological standpoint, with the website and app both up and running again.
In short, it seems unlikely that the full weight of GDPR penalties will be on display in this instance, though it will be fascinating to see just how far the new powers and higher fines will be used as this case unfolds.
Forbes regularly advises on matters concerning Data Protection and GDPR. If you have concerns over any GDPR compliance issues in your organisation, contact us at firstname.lastname@example.org find out more about how we can help.