British Airways Hit with GDPR Fine, Shows the Cost of Not Protecting Customer Data
The kaboom you heard earlier this week was the United Kingdom’s Information Commissioner’s Office (ICO) laying the hammer on British Airways in the form of a ₤183.39 M ($230M) fine for its failure to prevent a 2018 data breach that disclosed sensitive data on over half a million BA customers.
It’s exactly the kind of disaster that BA could have avoided had it heeded our advice early last year: “Get moving fast to improve cyber protection and privacy for your customers’ sensitive data. It won’t be long before national regulatory agencies start levying massive fines on well-known companies that fail to do so.”
Penalties for unsafe customer data
That’s exactly how GDPR regulatory authorities are rolling these days: finally hitting a big-name offender with a penalty amounting to a significant percentage of its annual revenue. The British Airways case is designed to be a wake-up call to any company with customers residing in the EU.
Considering that GDPR fines can go up to 2% of a company’s revenue for minor offenses and up to 4% for more serious ones, BA got off comparatively lightly with its 1.5%-of-revenue fine. Yet the amount is still an eye-opener when compared to the previous UK record for a GDPR non-compliance penalty: Facebook’s relatively skimpy half-million-pound (US$625K) fine from last year.
Additional costs of non-compliance
We have long outlined the adverse effects of finding yourself in the crosshairs of GDPR regulators: loss of customer trust and loyalty, damage to your brand and stock price, and a serious haircut on your profits, all of which BA is now suffering.
Just as the UK ICO intended, the case is a cannonball across the bow of businesses around the world, “If you collect any kind of sensitive data on EU-resident customers, you’d better protect it, or we will hit you where it hurts – in the wallet.”
That makes today a useful time to brush up on steps you can take to avoid BA’s costly fate, and how Acronis can help you get there.
Steps your organization should take
- Improve your overall security of processing – You need to protect EU customers’ personal data, which includes familiar items like their name, email address, etc. but is now more broadly defined to include things like location data, genetic information, etc. Acronis can help you encrypt this personal data wherever it is backed up or stored and in transit to backup/storage repositories. We can also help you monitor your cyber protection environment to keep an eye out for potential threats.
- Be careful with cross-border data transfers – You can now store personal data only in physical locations the EU considers to have adequate security, essentially the EU itself and a shortlist of other countries. Acronis can help you can store and back up personal data to our global network of secure data centers (as well as your own premises) and explicitly limit where it goes to our and your locations that are on the approved list.
- Defend sensitive customer data against security breaches – This is what bit BA. You must take stronger steps to prevent unauthorized access to and tampering with your EU customers’ personal data (like malware attacks, hardware failures, and human error). If and when you fail to do this, you also have to notify the authorities very quickly, as well as your customers if the breach is serious enough. Acronis Backup with Active stops ransomware attacks, the most prevalent malware attack out there, before they become breaches. Our cyber protection products, in general, will also let you restore damaged or lost personal data from any kind of breach.
- Comply with newly-strengthened data subject rights – You have to give your EU customers much more access to and control over their personal data, and delete it from your systems when they no longer want to do business with you. The extensive search features of our cyber protection products can let you can easily find and export customer data from Acronis backups and storage.
Improving GDPR compliance
GDPR requires you to attend to some other details as well, like hiring (or designating an existing employee as) a Data Protection Officer, someone who owns final responsibility for your company’s GDPR compliance. We cannot help there, nor can we provide the expert legal advice we recommend you get to review your GDPR compliance plans.
What Acronis can help you with is building easy, efficient, secure cyber protection and storage for your customers’ sensitive data, and defend it against serious malware threats like ransomware and cryptojacking.
Additional information available
- Acronis GDPR educational resources: https://www.acronis.com/en-us/gdpr/
- Overview of GDPR (webinar replay): http://youtube.com/watch?v=EsZl490nWtQ&t=76s
- 12 practical steps toward GDPR compliance (webinar replay): http://www.brighttalk.com/webcast/16607/313255/12-practical-steps-toward-gdpr-compliance
- IDC analyst report on GDPR and Acronis Backup: https://www.acronis.com/en-us/static/business/idc/
- Acronis blog posts on GDPR: https://www.acronis.com/en-us/blog/search/node/gdpr