I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.
The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.
I have also maintained that huge fines would be only levied against those who have done something so egregious, that the ‘lighter-touch’ ‘corrective powers’ (e.g. warnings, reprimands etc.) detailed in Article 58(2) just don’t meet the criteria of ‘effective, proportionate and dissuasive‘.
So why was BA’s fine so high? At 1.4% of global revenue, the fine, while well below the 2% maximum fine allowable under Article 83(4), is still way up there on the egregiousness scale.
Every parameter used to determine egregiousness is spelled out in Article 83(2), and here’s my interpretation/assumptions on the ICO’s findings that led to the total:
Art. 83(2)(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them – ~500K affected data subjects is bad, but there have been far far worse;
(b) the intentional or negligent character of the infringement – I think it’s safe to say the negligence was a factor here, at least in the lack of appropriate change control and testing;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects – other than a public apology from the CEO, I’ve not heard that BA has done anything to make things right with the data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 – the vulnerability exploited was a simple one, so PDbD2 (Art. 25) and appropriate security controls (Art. 32) were clearly lacking;
(e) any relevant previous infringements by the controller or processor – I’m sure this is not their first, but can’t be arsed to do any research;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement – I would like to think they were cooperative;
(g) the categories of personal data affected by the infringement – data loss included cardholder data and travel details but no sensitive data, so this is only middling bad as well;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement – I believe it was BA who told the ICO, so that counts in their favour;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures – I don’t think BA have been under any ‘corrective powers’ before?;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 – neither of these things exist yet, so N/A; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement – no idea.
BA is a huge organisation, and the implementation of the processes that cover the GDPR requirements across that entire infrastructure is enormously difficult. Not complicated, just difficult. Clearly BA had not done anywhere near enough in this regard, or the fine would have been considerably less.
So what does that mean for YOUR organisation? What would a fine look like if/when your organisation suffers a breach? In my experience, VERY few organisations are even remotely prepared for a breach of any sort, let alone one that falls under GDPR. Therefore, if you don’t have all of the below in place, you can not only expect a fine, but that fine will be nearer to 2% than if you had just done things properly:
Art. 83(2)(a) ‘nature, gravity, duration, and number of records’ – breaches can often take months to years coming to light, which is a very good indication of the poor state of the security program. Unless you have the capability to detect a breach QUICKLY you will score badly here. It should also go without saying that the more records you lose the worse the offence will be, so if you don’t even know what you’ve got assume the worst possible mark;
(b) ‘intentional or negligent’ – I have to assume that none of you want to lose data, but what are you doing to ensure that it does not happen? Fewer than half of the security programs I’ve seen would result in capability that would not be deemed negligent;
(c) ‘damage mitigation’ – are you only collecting the data you need? Have you deleted all the data you no longer need? Have you pseudonymised and/or encrypted the rest? If the answer is no to any of these, you have not done anywhere near enough to mitigate the loss;
(d) ‘degree of responsibility’ – if you have built data protection by design and data protection by default (DPbD2) into every one of your relevant processes, AND implemented a ‘demonstrably appropriate’ security program, you have taken no responsibility or accountability for data protection;
(e) previous infringements – if this is not your first rodeo, that’s bad. It shows you’ve learned nothing from the first one so this is now gross negligence;
(f) cooperation – Not only should you cooperate fully, the promises to remediate need to come from the CEO/BoD. Anything less is as disrespectful as it is inappropriate;
(g) ‘categories of personal data’ – if all you have is names and email addresses, no big deal, but if you have sensitive data (which most employers do) its loss maximises your penalty (see ‘damage mitigation’);
(h) ‘infringement notification’ – The majority of breaches are still outed by external sources. From affected clients to news stories, most organisations hear about their breach from someone else. This is bad because you clearly have limited security capability;
(i) ‘previous corrective measures‘ – same as (e) above, is this is your first;
(j) ‘codes of conduct’ / ‘certification’ – Not applicable yet; and
(k) ‘other factors’ – is there anything you can say in your defence? Do you have a DR communication package ready to go?
For those of you who have still not performed a data discovery / process mapping exercise, you literally have no defence whatsoever. I don’t care if you have the most comprehensive privacy policies on the planet, they are nothing but paperwork if you can’t demonstrate accountability.
Better get on with it.
[If you liked this article, please share! Want more like it, subscribe!]