11 July 2019 | Comment | Article by Emily Powell
The recent news that British Airways has been issued a notice of a fine of a record-breaking £183 million for breaching data protection laws is likely to have unnerved anyone responsible for cyber security and handling personal data. We take a look at how you can seek to avoid being hit by a similar fine.
What is the General Data Protection Regulation (GDPR)?
The GDPR came into force in 2018 and is the biggest transformation to data protection and privacy in the past 20 years. The GDPR allows organisations to be fined up to 4% of a company’s turnover for breaches in a new attempt by European policymakers to incentivise security practices and stop large-scale data breaches.
What happened to British Airways?
The British Airways fine of £183 million represented 1.5% of its turnover in 2017. Michael Veale, a digital rights researcher who specializes in data law, reports that he suspects regulators have set the level of the fine on the basis that it was a “wholly avoidable data breach which resulted from sloppy technical and organizational practices”. Contrasted against the previous data protection regime which capped fines at £500,000 the level of this fine can be seen to be a huge step change in the enforcement of the data protection regime.
The Information Commissioner's Office (ICO) has stated that the £183 million figure is not final and that it will “consider carefully” responses from the airline and others before issuing a final decision.
Is this the start of a new trend?
Since the announcement of the notice of the BA fine, it has been announced that the ICO is also to issue a fine of almost £100 million to Marriott (the international hotel group) after hackers stole the records of 339 million guests (7 million relating to U.K. residents) which appeared to go back as far as 2014, but was only discovered last year.
Whilst Marriott has stated that it will appeal the decision, these two very large fines recently imposed by the ICO may signal a sign of things to come and the start of a new trend from the ICO when it comes to the enforcement of the data protection regime.
The future of data protection regulation
The message from the ICO is clear - if you are entrusted with people’s personal data you must be able to protect it or be ready to face severe punishment. The £183 million fine to British Airways and the £99.2 million fine to Marriott have exceeded the estimates of commentators and demonstrate just how seriously the ICO will consider breaches of data protection laws. In order to prevent being hit with a similar fine, companies will need to ensure that they have carefully and thoroughly considered their obligations under the data protection regime and have taken particular care against the risks associated with the hacking of their systems.
Protecting your organisation from data breaches
We appreciate that advice is widely available on data breach protection. We’ve scoured many articles, including checking the ICO’s data security incident trends and others. These are the areas we consider the most important when it comes to protecting your organisation from data breaches but we advise you to seek professional legal advice which will be tailored to your organisation and its needs.
- Updated security software
Ensure your software is updated whenever it is offered as they are only issued when necessary and could be in light of security vulnerability. Delaying a software update can therefore leave you exposed to a costly data breach unnecessarily.
- Back up your data and encrypt it
Personal data should at a very minimum be encrypted including on work laptops supplied to employees. Data can also be backed up to remote facilities using the internet which is safer than using backup tapes that can be easily lost or stolen.
- Third-party data security evaluations
This option allows someone from outside the company to view the current breach risks objectively. A data security expert can advise each company on the most appropriate solutions specific to them and shows a serious intention by the company to protect personal data.
- “White Hat” hackers
“White Hat” hackers are used to hack a company, with their consent, in order to identify weak points in data protection software. These high-level attacks can be very useful in preventing sophisticated attacks as they are equally efficient and exhaustive as external attacks.
- Employee training and awareness
Train employees to follow best practices, so that they are conscious of the importance of data security and how to prevent mistakes that could lead to data breaches. Building a culture within your company that appreciates the importance of data protection is crucial.
If you need formal advice or more information on ways in which you can protect your organisation then please get in touch to speak with our Commercial, Procurement and Data Protection teams.