With much attention being given to the implementation of the General Data Protection Regulation (GDPR) and its impact on businesses earlier this year, it was perhaps unsurprising to see British Airways’ data breach earlier this month at the forefront of news headlines.
The data breach occurred between 21st August and 5th September 2018 with the British airline being unaware of the ongoing attack. As part of the breach, both financial and personal details of British Airways’ (BA) customers were obtained by hackers with a suspected 380,000 individuals affected.
The GDPR guidelines state that in the event of a data protection breach, businesses should disclose the breach and the extent of the breach to the relevant authority within 72 hours and to those affected if serious enough without undue delay. BA is reported to have complied with both of these guidelines. This tight window in which businesses now have to alert their customers is intended to avoid a repeat of historic breaches where customers were not alerted promptly that their data had been compromised.
Much of the media attention surrounding the GDPR was centred around the high penalties available to the ICO if a breach were to occur. The new financial penalties available to the ICO are up to a value of €20 million or up to 4% of a business’ annual turnover whichever is higher. It remains to be seen if the ICO will issue BA with a financial penalty, and if so, if it will reach these new higher figures. It may be that the ICO will use this instance as a deterrent for other businesses who fail to comply with the new data protection regulations.
If you’re concerned that your business is not yet GDPR compliant then please contact Matt Worsnop on 0116 281 6235 or by email at [email protected].