The Information Commissioner’s Office (ICO) intention to fine British Airways £183 million for personal data breaches of its customers will be of enormous concern to those that are in charge of cyber security. Even before the dust had settled on the British Airways story, the news came that the ICO had also issued a similar notice of its intention to fine Marriot International more than £99 million for personal data breaches.
More than an inconvenience
In the British Airways case, personal details of 500,000 customers were harvested when they were diverted to a fake website. The leaked details included; log in information, payment card details, travel booking details and names. While British Airways maintains that its customers suffered no actual losses resulting from the data breach, the clear message from the ICO is that negligent loss of personal data is punishable with or without financial loss to the data subjects. ICO’s Commissioner Elizabeth Denham stated;
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t, will face scrutiny from my office to check that they have taken appropriate steps to protect fundamental privacy rights.”
The British Airways £183 million intended fine represents 1.5% of its worldwide annual turnover for the year (2017). It is the biggest intended fine to date that has been issued by the ICO and dwarfs the £500,000 fine that the ICO handed to Facebook in 2017, for its role in the Cambridge Analytica scandal. Obviously, the British Airways intended fine has been issued under the new GDPR regime in which fines for data breaches could be as high as 4% of annual global turnover. A 4% charge on its annual global turnover would have seen British Airways paying a fine of over £500 million.
Other than administrative fines, the ICO also has other enforcement options, which it can use depending on the magnitude of the personal data breach. These include, but not limited to; issuing warnings and reprimands, ordering compliance or rectification, temporary bans on processing, suspension of data flows to third countries and others.
No time to despair
As the GDPR begins to bite, organisations cannot afford to sit back. The best way forward is to prioritise the protection of personal data and information security in general as a corporate governance matter. Again, in the words of Commissioner Elizabeth Denham; “Personal data has a real value, so organisations have a legal duty to ensure its security, just like they would do with any other asset…”
Some of the necessary practical steps in achieving an effective security and privacy program include;
- Developing comprehensive data protection policies.
- Assigning a sufficient budget and manpower to the protection of personal data and information security.
- Having in place a personal data inventory detailing the personal data collected, the purpose and method of its collection, and how it is stored.
- Carrying out data processing impact assessments (DPIA) to determine the high-risk processing activities to business and the data subjects.
- Reviewing the manner in which consent is obtained to ensure it complies with the requirements of the GDPR.
- Reviewing privacy notices on websites to ensure that they provide sufficient information on the purpose of the processing, the legal basis for the collection of personal data and the rights of data subjects.
- Training staff about GDPR requirements and basic IT security.
- Putting in place sufficient security, operational and technological measures to minimize the possibility of personal data breaches.
- Reviewing supplier and procurement arrangements to ensure that they comply with the processor requirements of the GDPR.
- Having technological and operational measures that ensure that personal breaches data are expeditiously detected, reported and investigated. As shown by the British Airways and Marriot International experiences; transparency and full co-operation with the regulator during investigations in case of a personal data breach, is a mitigating factor.
The key to achieving all of this is to have in place a DPO function that is experienced, highly skilled, independent and fully dedicated to the protection of personal data. This is critical to protecting reputation and building trust for any organisation.