Today we saw the ICO issue a notice of its intention to fine British Airways £183.39m for infringements of the GDPR – a record fine and the largest seen in the UK and the EU. The proposed fine relates to a cyber incident which BA notified to the ICO (as BA’s lead data protection authority, DPA) in September 2018. The incident involved the theft from the BA website and mobile app of personal data relating to customers over a two-week period. In terms of next steps, BA now has an opportunity to make representations to the ICO as to the proposed findings and sanction.
This action by the ICO demonstrates that they are prepared to enforce the GDPR and levy significant fines. Ensuring that a company is properly prepared for and responds to privacy and cyber security threats is a key corporate governance responsibility for directors and senior officers. Whilst it may not be always possible to prevent a cyber incident, other companies should be learning from this high profile enforcement action seen today and take steps now to mitigate the impact of a cyber security incident and potential breaches of the GDPR. Key aspects for companies to consider include:
- Conduct regular testing, for example, periodic attack and penetration testing, or other similar testing to assess cyber risk preparedness.
- Develop and carry out regular training to different groups to communicate expectations in respect of breach, prevention identification and reporting including senior managers with regular practical table top exercises which run through and practice dealing with hypothetical cyber incidents.
- Maintain an asset inventory of key information and data systems to assess how the business can be impacted by cyber threats.
- Maintain clear processes and guidelines for an incident response including a data breach response plan.
- Carry out a gap assessment of existing cyber security policies and procedures against information security regulatory requirements in the EU, US and elsewhere.
- Engage in information threat sharing to anticipate general and industry specific threats.
- Maintain an inventory of key vendors to identify potential third-party risks.
- Maintain a log of incidents and breaches and lessons learned to identify and prevent recurring incidents and potential vulnerabilities.
In addition, we will expect the GDPR to be used by individuals to recover damages for both financial and non-financial loss, and also be used in business-to-business litigation. And, the GDPR, unlike with regulatory fines, does not cap damages that may be recovered by individuals or organizations that deploy the GDPR in litigation. Because of these potential liabilities, many of our clients are disclosing the GDPR as a key risk factor to their regulators, shareholders and other stakeholders.