Last year saw a series of high profile breaches of GDPR involving "household names". The Information Commissioners Office (ICO) have now said that they intend to impose what would be a record fine of £183,000,000.
British Airways were no doubt surprised (to put it mildly) at the level of fine given that they say that the breach did not result in any fraudulent activity on accounts linked to the breach. The ICO said that "poor security arrangements of the company led to the breach of credit card information, names, addresses, travel booking details and logins for around 500,000 customers". The ICO has made it clear that the loss of personal data is "more than an inconvenience" and that the company should take appropriate steps to protect fundamental privacy rights hence the size of the proposed fine, not just to penalise British Airways but to make it clear to all organisations that personal data and the GDPR should be treated with caution and respect. Could British Airways have done anymore to avoid the breach? No doubt they will say that they are being punished "on principle" to set a standard for other organisations.
Over a year after the introduction of the General Data Protection Regulation what this most recent announcement does show is that there is a great emphasis on the proper protection and retention of personal data. The ICO appears to be targeting large organisations to make headlines so that all organisations then need to consider carefully what they are doing to comply not just with GDPR but also its concepts and culture. Data suggests that many organisations of all sizes are not yet appreciating the need to take appropriate steps and some have not even started the "journey" towards GDPR adoption. Highlighting this type of fine will make it clear to all customers that they have a right to expect not just compliance with the letter of the GDPR but also its fundamental concepts. There is also no "get out of jail free card" for charities who are required to also adopt the high standards in particular around records they keep of contributors and how they go about their marketing activities which are central to fundraising for charities of all sizes.
For more information about the General Data Protection Regulation or advice on your own organisation's compliance with the GDPR and its fundamental culture contact Clapham & Collinge's GDPR lead Neale Grearson on 01603 693500 or email firstname.lastname@example.org
*This article is provided for general information purposes only and does not constitute legal advice or other professional advice.
If you'd like to receive our monthly email newsletter, legal updates and event invitations, sign-up to our email mailing list by clicking here