The supervisory authority for GDPR compliance, the Information Commissioner's Office (ICO), has recently published its decision to fine British Airways (BA) £20 million. This followed its failure to protect the personal and financial details of over 400,000 BA customers.
Personal data exposed included names, addresses and payment card details. User details of BA employees and some BA Executive Club accounts were also potentially accessed.
The fine is the largest imposed to date by the ICO for breach of the General Data Protection Regulation (GDPR). Maximum fines imposed by the authorities may be up to 4% of the total worldwide annual turnover or 20M Euro, whichever is the greater.
The breach happened as a result of a cyber-attack and the ICO found that BA as a data controller, failed to process personal data in a manner that ensured appropriate data protection security, as required under GDPR compliance. The investigation by the ICO confirmed that the airline was processing a significant amount of sensitive personal data without adequate security measures in place, with weaknesses in its IT security which could have been remedied at the time to avoid a data breach.
Other recent fines
The ICO has also recently taken enforcement action recently with a breach notification against Experian, ordering it to make fundamental changes as to how it handles personal data within its direct marketing services.
But if you believe that the ICO only has large business in its sights regarding some form of data breach, you would be very much mistaken. Many much smaller firms are finding themselves on the end of an expensive GDPR fine issued by the ICO.
Reliance Advisory that operates in the field of claims management services such as mis-sold PPI, had a £250K fine imposed by failing in their electronic marketing towards the way they handled customer data.
Many other small businesses have also been caught out by making unsolicited direct marketing calls - with fines in excess of £100K for not meeting a specific GDPR requirement.
How to ensure compliance
Both a data controller and data processor are required to take appropriate security measures, protecting personal data and taking into account the costs of implementation and the nature, scope, context and purposes of the processing.
What is a Data Controller?
The ICO defines this as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'
What is a Data Processor?
The ICO defines this as 'a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.'
An up-to-date IT Security Policy and procedures are necessary to be compliant with GDPR, including appropriate security measures that may include:
- Limiting access to applications, data and tools
- Undertaking rigorous testing by simulating a cyber-attack
- Protecting employee and third-party account with multi-factor authentication
Other appropriate measures include:
- Pseudonymisation and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing
Being GDPR compliant
Personal data security forms part of overall GDPR / data protection compliance. It is important to take necessary steps to have up to date compliance internal and external documents and procedures, often including:
- Data Protection Policy or Standard
- Data Retention Policy
- IT Security Policy
- Contracts with any data processors / services providers
- GDPR language in your customer contracts
- Employee - related GDPR compliance requirements
- Assessment of marketing activities
- Data Privacy Notices, including for website
- Cookie Policy
- Other necessary data processing documentation
It is also important to train all staff and contractors on relevant GDPR compliance policies and procedures towards handling personal data, ensuring the right level of awareness and risk mitigation is in place.
GDPR and Brexit
UK will be seen as a country outside of the EEA (European Economic Area) from January 2021 (after the current transition period) while having the Data Protection Act 2018 in place that ensures that the provisions of GDPR are still applicable.
All UK based businesses will still need to comply with both GDPR and other relevant EU data protection legislation while being based in UK, a country outside of the EEA, that does not have an official adequacy decision in respect of its data protection laws.
You may need to have certain provisions in place, such as appointing a representative and having special contractual clauses if you offer goods or services to EEA or otherwise process personal data of individuals based in EEA, as well as ensure that your privacy notices are updated.
Read our blog: GDPR post-Brexit
Read our blog: GDPR post-Brexit
LawBite can help
As a starting point, everyone should visit our GDPR page. Here, you can find more details on what your business needs to consider. You can also arrange a data protection impact assessment, helping you with specific data processing questions or documentation you need to get into place to be GDPR compliant.
You get a free, 15-minute consultation with one of our expert lawyers.
