In the sunrise period for GDPR (the General Data Protection Regulation), it was a hot topic not just in the industry, but temporarily in the mainstream media as well. People with no interest in IT, never mind data security, were aware of the law and interested to see what was going to happen. A bit like how we all become Tennis aficionados for two weeks during Wimbledon. Since then, with (relatively speaking) small fines being issued which occurred under the old laws, the subject had left the mainstream again until today, with the news that the Information Commissioners Office (ICO) has handed down a fine of £183 million to British Airways (BA).
Information Commissioner Elizabeth Denham's stance is clear. In the announcement she says:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The reaction within the industry has not been one of massive surprise. A statement fine to a blue-chip company was widely expected. The fact that it hasn’t happened sooner was simply because of the time it takes for thorough investigations to run their course. The ICO was still processing so many cases which actually occurred before 25th May 2018. On the face of it, a fine 367 times bigger than the previous highest fine in the UK does seem eye-watering, but it could have been £500 million based on BA’s global revenue. Even in this detail, there has been the opportunity for the ICO to spell out the new rules of engagement to everyone looking on. It was a massive breach of personal data, therefore a big fine was likely, but it could have been much bigger. The ICO highlighted that BA had co-operated with the investigation and already taken measures already to improve security.
The existence of the BA breach has been known for some time, so this has been an eagerly awaited announcement. Just as eagerly awaited, though, is what happens next. An appeal is widely expected, but if that is unsuccessful, will there be a legal challenge? Or will one of the UK’s flagship brands pay the fine and focus on repairing the damage to its brand?
This is of course why many organisations have chosen our Data Privacy suite for SAP. The key point: don’t keep real personal data in test and development systems where it isn’t needed. With an effective scrambling solution, you can have realistic data which is just as realistic, without any breach risk. And in Production systems, don’t keep the data any longer than you need to. Remove sensitive information or identifiers without having to archive.
Incidentally, in a non-SAP environment the concept of redaction was already challenged in Austria, with the local equivalent of the ICO finding that if the identity could not be reverse engineered, then this did uphold the Right to be Forgotten.