Case study #2 – July 2019
We will close the month of July with this GDPR landmark case, the biggest and heftiest of its kind. We hope this is the last of its kind.
British Airways (‘’BA’’) fined over £183m for a personal data breach under the GDPR
Following a comprehensive investigation by the UK Information Commissioner’s Office (‘’ICO’’), the ICO published on the 8th July 2019 that it will fine British Airways (“BA”) of about £183m for breaches under the General Data Protection Regulation (“GDPR”) for a personal data breach. Compared to last week’s fine issues to Marriott, this is a landmark penalty since the deployment of GDPR. The anticipated bill relates to a cyber incident alerted by British Airways informed the ICO in September 2018. The event in part involved user traffic to the British Airways website being diverted to a fraudulent site. The fraudsters were able to yield the data for their gains. Individual data of about 500,000 customers were compromised during booking reservations and might have included payment data. The fraudulent activity believed to have begun in June 2018.
The ICO investigating team concluded that this attack was accessible because of BA’s inadequate security arrangements at BA, including customer’s login protocols.
Information Commissioner Elizabeth Denham said:
“People’s (personal) data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Since the event, BA has made a significant improvement to its security arrangements in collaboration of the ICO.
Like Marriott’s case study, the ICO and the other EEA authorities could empathise with BA by reducing the sanction or penalty. But as the Information Commissioner Elizabeth Denham outlined above – GDPR doesn’t make provision for such leveraging because the law makes it very clear that companies will be held accountable and could be fined up to 20 million Euros or 4% of the total annual worldwide turnover if found guilty.
As British Airways is a registered United Kingdom business, the ICO has been inspecting the case as a lead administrative authority on behalf of other EU Member State data protection authorities. The ICO will deliberate carefully the depictions made by British Airways in addition to the other concerned data protection authorities before it takes its final decision.
What must you take away from these cases?
Make sure your due processes are robust, – pay attention to ICT and all internal processes and tools. Consult with experts to help manage GDPR procedures during any types of change management tools: HR, Payroll, SharePoint, CRM or any other database. Report data breach sooner rather than later.
Remember! Data Security Management is expensive and imperative.
Businesses in the UK and EEA must keep in the for-front the guideline established under the GDPR 2018. A data protection supervisory authority can issue a maximum fine of up to 20million Euros or 4% of the total annual worldwide turnover in the previous fiscal year of the relevant undertaking for a critical case as that of British Airways defilement of the GDPR, or whichever figure is higher.
Watch out for our 2019-2020 international payroll workshops dates. And check out our payroll training events on our website and social portals.