Data breaches under the GDPR - will the sky come crashing down on British Airways?
11 September 2018
Between 21 August and 5 September, British Airways (“BA”) suffered a data breach - in essence, its systems were “hacked”. This has affected the personal data of around 380,000 individuals. Following an announcement through BA’s Twitter account, the story was quickly picked up by mainstream media outlets, demonstrating the significant publicity that such events can generate in a short space of time.
What action do you need to take in the event of a breach?
Data breaches don’t just require prompt action in relation to dealing with the media. Speed is also important in terms of containing the damage to data subjects, and dealing with the regulator and affected individuals.
Where a breach is likely to result in a risk to individuals' rights and freedoms - which will often be the case where financial details are compromised – the regulator must be notified within 72 hours of the controller becoming aware of the issue. This notification requires the business to provide information including:
- a description of the nature of the breach, including the categories and approximate number of individuals concerned;
- a description of the likely consequences of the breach; and
- a description of the measures taken, or proposed to be taken, to deal with the breach.
As one would imagine, this requires businesses to act quickly. In addition, where there is a high risk to individuals, the organisation must contact those affected. There is no set deadline for this but it must be done without undue delay. Where financial information has been compromised, this should really be done as soon as possible.
In this case, BA appears to be reaching out to those customers who were affected. It has released a statement saying:
“British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.”
Risk of fines
Unsurprisingly, many commentators have focused in on the significant fines that can be levied under the GDPR. When the new law came into force on 25 May 2018, a significant increase in the penalties for breach of data protection laws was perhaps the most infamous change it introduced. The legislation sets out two levels of fines:
- up to €10 million, or 2% of total worldwide annual turnover, whichever is higher
- up to €20 million, or 4% of total worldwide annual turnover, whichever is higher.
The second, higher category can be imposed for breach of the data protection principles, one of which is that controllers must process data in a “manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (the “Security Principle”).
If following an investigation, the Information Commissioner’s Office (“ICO”) was to find that BA had breached the Security Principle, this higher category of penalty could potentially be imposed. It has been observed that, given BA’s significant turnover, the theoretical level of fine is eye-watering. The Daily Telegraph, for instance, noted that 4% of worldwide turnover of International Airlines Group (BA’s parent) would constitute €919 million. These are scarily big numbers.
Yet despite the headlines, not all hacks are going to lead to a fine in practice. If there is an infringement of the Security Principle, the ICO will consider various factors including: the nature, gravity and duration of the infringement; whether it was intentional or negligent; any action taken by the controller to mitigate the damage; and the technical and organisational measures in place to prevent security breaches in the first place. (After all, even good security measures are not necessarily impenetrable.)
So while it is true that large fines issued by the ICO in the past have often related to security breaches, and that the level of potential fines is now far higher, this does not necessarily mean we will see the vast sums that have been discussed in this case.
What the last few days do show is how damaging these incidents can be in reputational terms, with both customers and the media increasingly focused on data breaches of this type. The amount of coverage this issue has received shows that, regardless of any regulatory action BA may or may not face, data breaches are something to be taken extremely seriously.