As British Airways now knows, ‘belt and braces’ after a GDPR breach no longer cuts it
It was a contractor who got the blame when British Airways had an IT crash in 2017, but a more recent data breach affecting 500,000 of its flyers has proved more difficult for the airline to shake off, despite it adopting a ‘belt and braces’ approach to GDPR-compliance since the breach, writes Lily Morrison of Gerrish Legal.
So ‘data-controllers’ should indeed follow their legal duties after a data breach occurrs, by reporting the breach to the relevant data protection authority, and by cooperating with that authority from there onwards. But just like British Airways (BA) has found out, doing all that can still land you in trouble. Indeed, in BA’s case, it has been sanctioned with a huge fine -- the largest fine that has been issued under the GDRP by a data protection authority.
It therefore seems that, in line with our prediction, the Information Commissioner’s Office (and potentially other data protection authorities too), will no longer be so understanding of companies that are found not using the GDPR to their advantage, to ensure that they avoid data breaches.
British Airways, the cyber attack victim
In this case, the ICO, which oversees the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (2016/679) (GDPR), has revealed that its intention is to fine British Airways £184million.
It all stems from September 2018, when unsuspecting BA customers using the genuine BA portal were directed to a fake website using a phishing operation, whereby users inputted their log-in details, payment details, travel booking details and personal information like their names and addresses. Hackers gained users’ trust by pretending to be a trusted third-party, and it is estimated that 500,000 people were targeted.
Following the requirements placed on it under Article 33 of the GDPR, BA notified the ICO of the suspected breach. Under this Article, companies need to inform the relevant authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, describing the number of subjects and categories of data affected, the likely consequences of the breach, and the measures that will be taken to mitigate the possible adverse effects.
Cooperative post-GDPR doesn't cut it
The ICO itself has described British Airways as having been ‘cooperative’ since the breach, given that it has made improvements to its security systems and worked with ICO officials to rectify any damage caused. Despite this, the ICO has been unforgiving, hitting BA with a massive multimillion-pound fine. British Airways has expressed disappointment at this decision, issuing a statement that it had expected a softer touch given it responded quickly to the criminal act. The company has also argued that it has found no evidence of any criminal activity on accounts linked to the breach, indicating that no material harm was caused. It apologised to the affected customers and explained the data breach which occurred. It clearly thought that these steps would be enough.
Information Commissioner Elizabeth Denham has explained that in failing to protect their customers’ personal data, organisations create more than just inconveniences. The ICO sees that accountability is at the centre of getting data protection right, and this fine is hoped to demonstrate to companies that it is serious about ensuring proper data protection. The GDPR has set out clear responsibilities -- companies entrusted with personal data must provide this data with the utmost protection, and those that don’t will find themselves under scrutiny.
The key development for data contractors and other data-processors or sub-processors to note here is that data protection authorities like the ICO will no longer be as forgiving of data errors and data breaches.
No longer just a descriptor
Put another way, it’s now very apparent that the GDPR isn’t there simply to describe how companies should act in the event of a data breach. It places a duty on companies to ensure the personal data they are trusted with is safe, so that these data breaches should not occur in the first place. Merely following the rules on reporting a data breach under the GDPR after such an event has occurred will not be enough to feign strict GDPR compliance before the breach, to avoid sanctions.
So be in no doubt, the reasonable attitude displayed by data protection authorities in the transitionary first year of the GDPR has ended. Moreover, it is likely that this heavy fine is a sign of things to come and we understand that, already, the ICO has set its sights on the next company deserving of a huge fine.
The GDPR really is prescriptive, so be proactive. Ensure that your current DP practices are clearly following the prescriptive rules on data protection, so that you can demonstrate compliance and avoid having anything to do with what could be a very costly oversight.