Cyber Security Article: As The Proposed ICO Fine Of British Airways Shows, GDPR Is Not “Year 2000 Again”

Following the launch of “RDP Data Defence™”, RDP Law has been out and about talking to organisations about data protection and the laws that came into effect last year.

Thankfully, the majority of organisations we have spoken to recognise their legal obligations and are working hard to make sure that their business has in place appropriate organisational and technical measures to keep personal data secure. Look online however and there is a mixed response – some view the GDPR as being just another “fad” or simply another “year 2000 over which there was a lot of fuss about nothing”.

However, as the breaking news about British Airways today shows, the General Data Protection Regulation (GDPR) gives the Information Commissioner’s Office (ICO) real teeth to take action against those it thinks have not complied with their legal obligations. As at the time of writing, the ICO has released a statement setting out its intention to fine British Airways £183.39m under the GDPR for a data breach. According to the ICO statement, the proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. In short, it is alleged that traffic to the British Airways website was re-directed to a fraudulent website which then collected personal data of about 500,000 British Airways customers. Although British Airways co-operated with the ICO investigation and has since taken action to improve its security arrangements, according to the ICO statement today:

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well [as] name and address information”.

British Airways will now have the opportunity to make representations to the ICO as to the proposed findings and proposed sanction. Other data protection authorities in the EU whose residents have been affected will also have the opportunity to comment on the ICO’s findings. All representations will be considered by the ICO before it makes its final decision, so it is possible that the proposed decision / headline grabbing figure of £183.39m will be amended.

Even were the ICO to reconsider its position, today’s statement from the ICO is undoubtedly a cautionary tale. If your organisation holds personal data, you need to review, test and challenge your organisational and technical measures regularly to make sure that they adequately protect the personal data you hold. Compliance is not just about having a privacy notice in place: it is about a fundamental review of your privacy practices and that includes your approach to cyber security.

If you would like to find out more about what your organisation needs to do to comply with data protection legislation contact Dr Kerry Beynon on 01633 603178.