ManagedIT - issue 54

GDPR MANAGED.IT 11 www.managedITmag.co.uk Given current GDPR guidelines, it can be reasonably expected that any decision by the ICO will set a strong precedent for future large- scale data breaches ICO bares its teeth The decision by the Information Commissioner’s Office (ICO) to issue notices of ‘intent to fine’ British Airways and Marriott International is a much needed reality check for organisations that may have been lulled into a false sense of security by minimal enforcement activity since GDPR came into force on May 25 2018. Here, legal and technology experts reflect on what this development means for business are various factors considered when setting the level of fine. Amongst others, these include the number of people affected and the level of damage suffered; the negligent character of the infringement; the degree of responsibility of the controller; and the categories of personal data affected by the infringement. Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty that sends a strong message to all data controllers. The first large fine was always going to be hotly contested and in the next 28 days we should learn details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors. Given current GDPR guidelines, it can be reasonably expected that any decision by the ICO will set a strong precedent for future large-scale data breaches. Anyone who has not yet taken steps to ensure they comply with GDPR should revisit what they need to do in the context of their business. Jon Baines, Data Protection Advisor, Mischon de Reya : News that the ICO is intending to fine BA £183m and Marriott International £99m is remarkable for a number of reasons. Firstly, and crucially, these are merely ‘notices of intent’ – recent figures obtained by this Firm under the Freedom of Information Act indicate that nearly one in three ICO notices of intent ultimately either get cancelled or result in a lower final penalty. Dianne Yarrow, partner and commercial solicitor, Gardner Leader : Not long after the first anniversary of GDPR coming into force, the ICO has issued the largest ever fine to British Airways for a data breach relating to 500,000 customers. Under Article 5 of the GDPR rules, personal data shall be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes… and…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (‘integrity and confidentiality)’. The compromised information in the BA cyber incident included log ins, payment cards, travel bookings, names and addresses. Clearly, BA breached the above Article and the wider GDPR as it failed to safeguard personal data that it was entrusted with. BA has been issued with a fine amounting to 1.5% of its worldwide turnover in 2017, which far surpasses the previous record fine of £500,000 that Facebook was ordered to pay in the Cambridge Analytica data scandal. The difference in the fines is owed to the change of law between the incidents, namely the arrival of GDPR, which allows a maximum fine of up to 4% of annual turnover. The penalty is substantial. There Secondly, the legality and fairness of ICO’s investigative procedure has come under serious – and extraordinary – challenge in the recent case involving Facebook, in which the latter is alleging bias, pre-determination and procedural irregularity. It is quite possible that similar arguments will be aired in any challenge to the notices of intent. Thirdly, the notices of intent were announced initially not by the ICO but by the recipients, under their market notification obligations. To this extent, ICO’s hand has been forced; it will definitely be hoping it has got its factual and legal analyses right, because the challenges coming its way are likely to be robust and costly. Fourthly, these sums are huge, market-influencing ones. Up until now, people were certainly concerned about GDPR, but this news makes it very clear that fines arising from alleged non-compliance have become a major corporate risk factor. No one should over-react to this news. But everyone should pay very close attention to developments. Michael Mittel, CEO, Rapidfire Tools : This is just like HIPAA in the USA, where it took several years, but eventually fines did become a regular occurrence. In the US, half of organisations with HIPAA violations end up closing down and the same will happen with GDPR. The purpose of the ICO is to enforce the law and to protect the people, not to come to the defence of corporations. To remain compliant with GDPR, senior leaders have got to know their own company, to understand what their company does and how it collects data. Is it part of the company DNA or just something that’s done off-handedly? The impacts of a GDPR fine Continued... Michael Mittel Dianne Yarrow