British Airways GDPR Breach
18th July, 2019
British Airways, once renowned for being the UK’s largest international airline, has been issued with a record-breaking GDPR fine by the Information Commissioner’s Office (ICO). The £183.39M fine follows a breach in security systems between late August and early September 2018.
As a result of their “poor security arrangements”, personal data from half a million British Airways customers was stolen. The ICO declared that hackers accessed customer names, addresses, credit card information and details of their travel bookings.
British Airways chairman Alex Cruz expressed how “surprised and disappointed” the airline was by the decision made by ICO to fine British Airways 1.5% of the company’s 2017 revenue.
The importance of GDPR to employers and their employees
Updated data protection legislation came into force in May 2018, including the General Data Protection Regulations (‘GDPR’) and the Data Protection Act 2018 (‘DPA 2018’). Fundamentally, the reformation allowed EU citizens to have more control over their data.
UK companies are obliged to comply with the DPA 2018. Personal data is information that relates to an identified individual, this will generally be processed electronically and held by a public authority. However, the introduction to GDPR also meant new responsibilities for employers and their employees.
Following the recent changes, it is now vital for employers to make sure that all personal data, particularly sensitive information such as healthcare matters (which is now collectively referred to as special category data) must be carefully secured.
Considerations for employers
It is a legal obligation for employers to comply with the DPA 2018. As a reminder to all businesses, it is necessary for employers to provide employees with detailed information regarding:
- What type of data they will be holding;
- how long their data is going to be held;
- whether the data is going to be transferred to other organisations and other countries;
- the right to make a subject access request; and
- the right to have personal data deleted or rectified in certain instances.
Organisations should have a clear and thorough retention policy for holding personal data. Such data must not be held for longer than is required. Employers will also have a responsibility to ensure the retention policy is easily accessible for the employees.
What to do if there is a personal data breach?
The new data protection legislation imposed a new breach notification requirement. If you believe there has been a personal data breach which is likely to endanger the rights and freedoms of an individual, it is essential that you inform the ICO within 72 hours.
The individual concerned shall also be notified if it is considered that the breach is likely to result in a high risk of adversely affecting their rights and freedoms – but this threshold is higher than the threshold for reporting the breach to the ICO.
The ICO will then investigate the breach and can issue fines which can be as much as €20 million or up to 4% of the organisations annual turnover depending on which is greater. As previously mentioned British Airways received a fine of 1.5% of their annual turnover for 2017 totaling £183.39M.
For professional in house training and compliance advice and support for your business, please contact employment law partner Claire Brook.
You might also be interested in...
15th January, 2020
The Employment Tribunal has now made a decision in the case of Casamitjana v League Against Cruel Sports, concerning... Read More »