A stark reminder of the rules: BA faces eye-watering GDPR fine

08 July 2019
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

GDPR FINE
 

British Airways given £183 million fine for data breach – the first public GDPR fine in the UK

In the sunrise period for GDPR (the General Data Protection Regulation), it was a hot topic not just in the industry, but temporarily in the mainstream media as well. People with no interest in IT, never mind data security, were aware of the law and interested to see what was going to happen. A bit like how we all become Tennis aficionados for two weeks during Wimbledon. Since then, with (relatively speaking) small fines being issued which occurred under the old laws, the subject had left the mainstream again until today, with the news that the Information Commissioners Office (ICO) has handed down a fine of £183 million to British Airways (BA).

Information Commissioner Elizabeth Denham's stance is clear. In the announcement she says:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

A surprise? Not really

The reaction within the industry has not been one of massive surprise. A statement fine to a blue-chip company was widely expected. The fact that it hasn’t happened sooner was simply because of the time it takes for thorough investigations to run their course. The ICO was still processing so many cases which actually occurred before 25th May 2018. On the face of it, a fine 367 times bigger than the previous highest fine in the UK does seem eye-watering, but it could have been £500 million based on BA’s global revenue. Even in this detail, there has been the opportunity for the ICO to spell out the new rules of engagement to everyone looking on. It was a massive breach of personal data, therefore a big fine was likely, but it could have been much bigger. The ICO highlighted that BA had co-operated with the investigation and already taken measures already to improve security.

What else will we learn from this landmark case?

The existence of the BA breach has been known for some time, so this has been an eagerly awaited announcement. Just as eagerly awaited, though, is what happens next. An appeal is widely expected, but if that is unsuccessful, will there be a legal challenge? Or will one of the UK’s flagship brands pay the fine and focus on repairing the damage to its brand?

Data PrivacyRemoving data in SAP

This is of course why many organisations have chosen our Data Privacy suite for SAP. The key point: don’t keep real personal data in test and development systems where it isn’t needed. With an effective scrambling solution, you can have realistic data which is just as realistic, without any breach risk. And in Production systems, don’t keep the data any longer than you need to. Remove sensitive information or identifiers without having to archive.

Incidentally, in a non-SAP environment the concept of redaction was already challenged in Austria, with the local equivalent of the ICO finding that if the identity could not be reverse engineered, then this did uphold the Right to be Forgotten.


  GDPR COMPLIANCE/DATA PRIVACY SUITE DATA REMOVAL SERVICES WEBINAR

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: