Why the BA Fine Was So High, and What YOU Can Do To Avoid the Same

I have long maintained that fines under GDPR are the last resort, and that the ICO do NOT want to use Article 83 of the GDPR as a stick to scare organisations into compliance.

The ICO commissioner, Elizabeth Denham has even said as much herself, using the word “nonsense” when it was suggested that large fines would become the norm, that “Issuing fines has always been, and will continue to be, a last resort[…]“, and “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective […]“.

I have also maintained that huge fines would be only levied against those who have done something so egregious, that the ‘lighter-touch’ ‘corrective powers’ (e.g. warnings, reprimands etc.) detailed in Article 58(2) just don’t meet the criteria of ‘effective, proportionate and dissuasive‘.

So why was BA’s fine so high? At 1.4% of global revenue, the fine, while well below the 2% maximum fine allowable under Article 83(4), is still way up there on the egregiousness scale.

Every parameter used to determine egregiousness is spelled out in Article 83(2), and here’s my interpretation/assumptions on the ICO’s findings that led to the total:

Art. 83(2)(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them – ~500K affected data subjects is bad, but there have been far far worse;

(b) the intentional or negligent character of the infringement – I think it’s safe to say the negligence was a factor here, at least in the lack of appropriate change control and testing;

(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects – other than a public apology from the CEO, I’ve not heard that BA has done anything to make things right with the data subjects;

(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 – the vulnerability exploited was a simple one, so PDbD2 (Art. 25) and appropriate security controls (Art. 32) were clearly lacking;

(e) any relevant previous infringements by the controller or processor – I’m sure this is not their first, but can’t be arsed to do any research;

(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement – I would like to think they were cooperative;

(g) the categories of personal data affected by the infringement – data loss included cardholder data and travel details but no sensitive data, so this is only middling bad as well;

(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement – I believe it was BA who told the ICO, so that counts in their favour;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures – I don’t think BA have been under any ‘corrective powers’ before?;

(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42 – neither of these things exist yet, so N/A; and

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement – no idea.

BA is a huge organisation, and the implementation of the processes that cover the GDPR requirements across that entire infrastructure is enormously difficult. Not complicated, just difficult. Clearly BA had not done anywhere near enough in this regard, or the fine would have been considerably less.

So what does that mean for YOUR organisation? What would a fine look like if/when your organisation suffers a breach? In my experience, VERY few organisations are even remotely prepared for a breach of any sort, let alone one that falls under GDPR. Therefore, if you don’t have all of the below in place, you can not only expect a fine, but that fine will be nearer to 2% than if you had just done things properly:

Art. 83(2)(a) ‘nature, gravity, duration, and number of records’ – breaches can often take months to years coming to light, which is a very good indication of the poor state of the security program. Unless you have the capability to detect a breach QUICKLY you will score badly here. It should also go without saying that the more records you lose the worse the offence will be, so if you don’t even know what you’ve got assume the worst possible mark;

(b) ‘intentional or negligent’ – I have to assume that none of you want to lose data, but what are you doing to ensure that it does not happen? Fewer than half of the security programs I’ve seen would result in capability that would not be deemed negligent;

(c) ‘damage mitigation’ – are you only collecting the data you need? Have you deleted all the data you no longer need? Have you pseudonymised and/or encrypted the rest? If the answer is no to any of these, you have not done anywhere near enough to mitigate the loss;

(d) ‘degree of responsibility’ – if you have built data protection by design and data protection by default (DPbD2) into every one of your relevant processes, AND implemented a ‘demonstrably appropriate’ security program, you have taken no responsibility or accountability for data protection;

(e) previous infringements – if this is not your first rodeo, that’s bad. It shows you’ve learned nothing from the first one so this is now gross negligence;

(f) cooperation – Not only should you cooperate fully, the promises to remediate need to come from the CEO/BoD. Anything less is as disrespectful as it is inappropriate;

(g) ‘categories of personal data’ – if all you have is names and email addresses, no big deal, but if you have sensitive data (which most employers do) its loss maximises your penalty (see ‘damage mitigation’);

(h) ‘infringement notification’ – The majority of breaches are still outed by external sources. From affected clients to news stories, most organisations hear about their breach from someone else. This is bad because you clearly have limited security capability;

(i) ‘previous corrective measures‘ – same as (e) above, is this is your first;

(j) ‘codes of conduct’ / ‘certification’ – Not applicable yet; and

(k) ‘other factors’ – is there anything you can say in your defence? Do you have a DR communication package ready to go?

For those of you who have still not performed a data discovery / process mapping exercise, you literally have no defence whatsoever. I don’t care if you have the most comprehensive privacy policies on the planet, they are nothing but paperwork if you can’t demonstrate accountability.

Better get on with it.

[If you liked this article, please share! Want more like it, subscribe!]

4 thoughts on “Why the BA Fine Was So High, and What YOU Can Do To Avoid the Same

  1. But what breach of the GDPR did she find? Was it Art. 32 (then Art.83(4), max 2% turnover) or was it breach of Art. 5(1)(f) or 5(2), or another provision mentioned in Art. 83(5), where max is 4% ? Does anyone know?
    The assumption that the fine was levied under 83(4) is surely premature, and if the fine could have been closer to £500m, then £183m (and subject to confirmation) is not as ‘huge’ as might be thought!

    • A fair question and equally fair conclusion!

      Every indication is that it was a data security breach, not a data protection breach. Systems were compromised, a ‘skimming script’ installed, and data exfiltrated.

      The thieves were clearly after cardholder data, because that’s the majority of what they got, and it’s still the most easily monetised.

      There is no indication that BA was processing any data in contravention of a lawful basis.

  2. BA have been in the news recently for IT issues and in 2017. Their systems are ‘mature’ and likely complex. You state that “BA is a huge organisation, and the implementation of the processes that cover the GDPR requirements across that entire infrastructure is enormously difficult. Not complicated, just difficult. Clearly BA had not done anywhere near enough in this regard, or the fine would have been considerably less.“.

    I think that the degree of difficulty in these large, mature, multinational organisations with diverse and complex IT is just too great. Data protection by default and by design might require a ‘start again’ approach which the shareholders and other stake-holders may not be willing to undertake.

    There was an interview on R4 following the check-in problem at BA, and the interviewee alluded to the fact that newer (smaller) airlines were more agile and not encumbered by their history.

    Is the ultimate fate of the large corporation in an on line connected world to be fined out of existence?

    • Interesting proposition Ian, and thank you for your comments.

      My full answer could easily run the length of a blog, so maybe I’ll do just that! 🙂 For now though, there are a couple of points I’d like to raise:

      1. GDPR’s principles (including data security) are almost 40 years old (OECD), written into EU law with the DPD in 1995, and transposed into UK law with the DPA in 1998;
      2. Data Protection by Design and Default (DPbD2) is relatively new concept. Proposed in 1995, but not accepted as a framework until 2010;

      So on the one side you can look at BA and say that given their size and inability to change quickly, they should be cut some slack. On the other hand, you could say that they’ve had over 20 YEARS to develop an appropriate security program.

      Given that they were breached by something so mundane suggests that it is not appropriate. I don’t see this changing until lack of accountability for security at the senior leadership level attracts individual civil penalties (maybe even jail time for the worst offenders).

      I cannot believe the ICO, or any supervisory authority, would severely punish an organisation that is demonstrably doing its best. But seeing as the GDPR uses the phrases like “disproportionate effort” to soften the blows, it’s clear that BA have not met the mark.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.