Complying with the GDPR, the General Data Protection Regulation, has been obligatory for over a year now. The regulation was designed to standardize regulations in the countries of the European Union, as well as to provide users with greater control over their personal data.
In the first year of the GDPR, member states have attended a total of 144,376 queries and complaints related to the regulation, and have reported a total of 89,271 data breaches. In total, the fines handed out add up to €56 million. It is, however, worth pointing out that, of the €56 million, €50 million is from the fine that the French authorities gave to Google in January, which, until today, was the highest fine under the regulation.
The British Airways data breach
In September last year, British Airways announced that it had fallen victim to a data breach. Attackers managed to steal the personal data of around 500,000 BA customers. This data included names, credit card numbers and their CVV codes, and email addresses. The attackers managed to steal this information by modifying the script on the BA website, in a supply chain attack.
Now, the Information Commissioner’s Office (ICO) in the UK has fined the airline £183 million (€204,110,000) for this breach. According to the ICO, this is the largest find that they have ever given, and it is the highest fine so far under the GDPR. It is the equivalent of 1.5% of British Airways’ annual global turnover in 2017, which corresponds to Level 1 of the regulation. While the fine is very large, the GDPR allows for fines of up to 4% of a company’s annual global turnover, which, in the case of BA, would be £488 million (€544 million).
The airline reacts
The company now has 28 days to appeal. Willie Walsh, CEO of IAG, the owner of BA, has announced that the company would make representations to the ICO.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
Álex Cruz, CEO of BA, said that he was “surprised and disappointed” with the ICO penalty. He says that “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Avoid fines in your company
The fines that can be given under the GDP are very high – up to €20 million or 4% of a company’s annual global turnover – but the reputational damages are also an important factor to bear in mind. No company wants to become famous for receiving a record fine for not protecting their personal data properly.
To avoid the negative consequences that the GDPR can bring, it is vital to correctly protect the personal data that your company stores. Panda Security can help you: Panda Data Control is the module of Panda Adaptive Defense that is specifically designed to help with GDPR compliance.
Panda Data Control discovers, audits and monitors all the unstructured personal data on your company’s corporate network. This way, you’ll know exactly where your company’s data is stored, who is handling it, and what actions they’re taking on it.
Total visibility of files, users, devices and servers that access this information, so you can supervise any action carried out on the personal information that you store.
What’s more, this module helps you to comply with several articles of the GDPR. This includes the right to erasure, data protection impact assessment, security of processing and notification of a personal data breach to the supervisory authority.
These days, large companies manage a vast quantity of personal data. The only way to protect it is to know where it is at all times and know who is accessing it.