GDPR bares its teeth as British Airways fined £183 million for data-breach
We’ve had to wait a full year for the UK’s first GDPR data-breach fine, but it’s now clear the regulation isn’t to be taken lightly.
British Airways has been slapped with an eye-watering £183m fine for what the Information Commissioner’s Office labelled ‘poor security arrangements’ after hackers stole the personal data of 500,000 customers.
This sensitive data included login, payment card, name, address and travel booking information which was harvested by cybercriminals and used on a fraudulent website.
To put the UK’s first GDPR fine into context, it is equivalent to 1.5% of BA’s £11.6bn global turnover in 2018 and will feature in the company’s annual report and will be mulled over by shareholders and potential shareholders alike.
BA has found to its cost that GDPR isn’t a paper tiger, it has real teeth, and cybersecurity must now be a board-level consideration with the buck finally stopping at the desk of the CEO.
The previous record fine for UK data mismanagement was for a ‘mere’ £500,000, levied against Facebook for its involvement in the Cambridge Analytica scandal.
While the fine is by any one’s standards big, the only surprise is that it has taken this long for the first GDPR fine to be handed out. Just a quick review of the ICO’s official website shows the body has issued 71 fines for data mismanagement since July 2017.
So, what can retailers and hospitality firms do to ensure they remain fully GDPR compliant? The cornerstone of GDPR is protecting consumer data. Vodat has produced its own security guide, which you can read here. We have also released our own GDPR guide detailing the five steps organisations need to take to ensure they are GDPR compliant. Here’s a quick summary, or you can read the full report here.
1. Create a comprehensive data log
Retailers need to create one clear and comprehensive log of all the data they hold, including details of where it is stored. This includes understanding the systems used to store and process data, and how these systems work together. Creating a data log and “map” is the first step towards fulfilling some of the GDPR’s central principles.
2. Improve security and create a data breach plan
Under GDPR, retailers must notify affected customers within 72 hours of a data breach. They must also be able to explain what happened, why, the risks customers have been exposed to and the next steps. This makes an effective, well-rehearsed data breach plan essential. This plan should also include a way to identify security breaches, guidelines to speed up coordination between key internal departments and external communications with affected customers.
3. Review current processes used to obtain consent
GDPR requires all retailers to gain unambiguous, active, and explicit consent for the use of customers’ personal data. You also need to explain in simple language what data you have collected and what you use it for. Retailers cannot use the data for any other purpose than has been agreed with the customer. Consent must be gained actively and explicitly, so silence, inactivity or a pre-ticked box is not enough to show permission has been granted. Retailers might also need to re-obtain consent for data they have previously gathered. If so, retailers should come up with a plan to re-obtain consent for the data, without breaking any of GDPR rules (e.g. avoid using data that was not properly obtained to re-solicit consent).
4. Create processes allowing customers to access and download their data
Under GDPR, customers have the right to access, export and transfer their personal data if they wish (also known as data accessibility and data portability). In practice, this means retailers must create processes that enable customers to download their own data within 30 days of a request. Retailers must also create processes that allow customers to be forgotten, i.e. to delete their data if they request it.
5. Review all third-party contracts
Retailers are likely to work with vendors or other third-party partners who act as data processors. Under GDPR, retailers are accountable for how data is processed and used, but in case of a data breach or misuse, retailer and vendor share the liability. This means that retailers can still be fully liable if their data processor partners suffer data breach or misuse. It is the retailer’s responsibility to clearly set out how the vendor should use the data, so retailers need to set out clear and comprehensive guidelines on data use for any third party. Retailers should also review all the contracts they hold with these partners to ensure there are no accountability ambiguities.
Data security can be a complex issue but with the right digital network partner and market-leading security solutions in place cyber attacks can be stopped or their impact can be significantly minimised.