Sovy recognised by KuppingerCole Independent Analysts More Info
  • Home
  • |
  • Log In
  • |
  • Contact
  • |
  • 0
Sovy
  • Products
    • Sovy GDPR Privacy Essentials℠
    • Sovy Academy℠
    • Sovy Advisory Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy News
  • Pricing
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
    • Contact Us
  • Products
    • Sovy GDPR Privacy Essentials℠
    • Sovy Academy℠
    • Sovy Advisory Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy News
  • Pricing
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
    • Contact Us

Data Privacy News

July 9, 2019

British Airways Faces a £183m GDPR Fine

British Airways Plan Tails

British Airways (BA) faces a £183m fine for a data breach that took place in June of last year, the UK Information Commissioner’s Office (ICO) announced on Monday.

It is the biggest penalty that any data protection authority has doled out yet, dwarfing the previous record of €50 million that France’s CNIL slapped on Google for failing to appropriately disclose its data collection practices.

In the breach, customers were diverted away from a BA website to a fraudulent site set up by hackers. There, the hackers harvested the data of around 500,000 users – including logins, payment card details, names, and addresses.

While the fine may seem large, it actually could have been worse. Under the GDPR, the ICO is able to fine up to 4% of annual global turnover for this kind of fine, which means that BA’s fine could have been more than twice as large.

The ICO Statement

Information Commissioner Elizabeth Denham bluntly summarised the reason for the fine in her announcement, “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”

As the Information Commissioner explained, companies have an obligation to protect their customer’s data. The “poor security arrangements”—as the ICO put it—of BA’s website allowed hackers to easily redirect customers to the fraudulent site.

Furthermore, the airline did not disclose the breach until September of 2018, stating even then that just 380,000 customers had been affected.

Under the GDPR, companies are mandated to protect any data that customers entrust to them. BA’s data protection programme failed to meet the security standards given the quantity and sensitivity of the data.

How to avoid GDPR fines

Avoiding fines from the ICO or other governing bodies sounds intimidating. But there are a few simple steps you can take to protect your customer’s data, and yourself from fines.

1.Know your data 

What types of personal data do you collect and store?

How many people are you collecting data from?

Are there any “special categories” of data involved?

Do you transfer them out of the EEA?

All these questions help comprise the risk associated with customer data. The higher the risk you impose on customers, the greater the security you’ll need to provide in order to satisfy a Data Protection Authority if something goes wrong or if you get audited.

BA got fined because it didn’t impose adequate security safeguards compared to the high volume and sensitivity of the data it collected. Knowing your data risk is the first step to preventing a situation like BA’s.

2.Know your security

If you experience a data breach, you’ll have to report it. And if, under inspection, your security software isn’t up-to-date, or if you don’t use simple tools like anti-malware software, firewalls, and SSL certificates around your web forms, then you’ll probably be liable for a fine.

The same goes for access controls – if you give everyone in your company access to customers’ personal data, regardless of whether they need it for their job, you’ll be setting yourself up for a fine.

3.Get audit-ready

You need to be prepared for an audit or investigation if a data breach does happen. That means having the appropriate policies and procedures in place well before the breach occurs.

Some policies and procedures include a data breach response protocol, a broad data protection policy, and training courses around cybersecurity and data protection for any employees that have access to personal data.

Finally, make sure you document your personal data in a personal data inventory, describing the types of data your company collects, where it’s stored, how long it’s kept, who has access to it, how it’s deleted, and to whom it’s transferred.

Need help?

Sovy’s GDPR Essentials can help you with each of the steps laid out above:

  • Walk through a data mapping exercise and build your data inventory.
  • Build all the policies you need under the GDPR, including a privacy policy, data protection policy, and data breach response forms.
  • Train your employees with industry-standard eLearning courses.
  • Track document access and history to ensure transparency in the event of an audit.
  • Manage your cookies and data rights (e.g. access, deletion, portability) with our consent manager dashboard.

Find out more about how the Sovy GDPR Privacy Essentials can help you or get in touch to find out more information.

fines GDPR
Previous StoryWhy are organisations still struggling to comply with the GDPR?
Next StoryMarriott Faces over £99m GDPR Fine

SEARCH

CATEGORIES

  • 2020 (14)
  • CCPA (5)
  • Charities (1)
  • Coronavirus (3)
  • COVID-19 (3)
  • Events (1)
  • GDPR (52)
  • Google (1)
  • Guidance (2)
  • New Bytes (35)
  • News & Blog (49)
  • Opinions (26)
  • Workplace Conduct (1)

TAG CLOUD

2020 BEUC Brexit CCPA Charities China CJEU Clearview AI CNIL cookies coronavirus COVID-19 cybersecurity data breach data privacy data protection DfE DPC EDPB Facebook facial recognition fine fines GDPR Google guidance H&M IAPP ICO LGDP LGPD mark zuckerberg Marriot marriott Microsoft notification online education oracle PIPEDA salesforce Schrems II tik tok Uber UK vodafone italy

ARCHIVES

  • April 2021 (1)
  • February 2021 (2)
  • January 2021 (3)
  • December 2020 (3)
  • November 2020 (4)
  • October 2020 (4)
  • September 2020 (1)
  • August 2020 (1)
  • July 2020 (2)
  • June 2020 (3)
  • May 2020 (2)
  • April 2020 (2)
  • March 2020 (1)
  • February 2020 (1)
  • January 2020 (3)
  • December 2019 (3)
  • November 2019 (1)
  • July 2019 (3)
  • May 2019 (3)
  • March 2019 (2)
  • January 2019 (3)
  • December 2018 (3)
  • November 2018 (2)
  • September 2018 (1)
  • July 2018 (1)
  • June 2018 (2)

LATEST POSTS

  • Is The GDPR Good For Business?
  • Tik Tok Accused of Noncompliance with the GDPR
  • Clearview AI accused of ‘’illegal mass surveillance’’
  • EDPB launches guidelines on Examples of Data Breach notification
  • GDPR at the End of 2020

QUICK LINKS

  • About Us
  • Resources
  • Privacy Policy
  • Terms
  • Manage Consent
  • Contact Us

Sovy GDPR Privacy Essentials

  • Subscription Benefits
  • Pricing
  • Log in
  • GDPR for Small Businesses
  • GDPR for Enterprises
  • GDPR for Sole Traders
  • GDPR for Charities

SOVY LOCATIONS

Ireland HQ

Registered Office
St Gall's House
St Gall Gardens South
Milltown, Dublin 14
D14 Y882

Trading Office
Meath Enterprise Centre
Trim road, Navan
Co. Meath, C15 TKX6
Ph: +353 (0)1 669-4774

Brussels

Rond-Point Schuman 11
1040 Brussels
Belgium

London

Registered Office
Kemp House
152-160 City Road
London EC1V 2N

Trading Office
9-10 Staple Inn
2nd Floor
London WC1V 7QH

New York

NY Metropolitan Area
2037 Lemoine Ave
Suite 452,
Fort Lee, N.J. 07024, USA

ASSOCIATIONS

Copyright © 2020 Sovy Trust Solutions Limited. All Rights Reserved. Registered in Ireland, No. 610835 and No. 605069