“The law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” – Information Commissioner, Elizabeth Denham.
This week’s news of IAG (International Consolidated Airlines Group) data breach fine is understood to be the biggest penalty the ICO has issued to date under GDPR, but it’s not the maximum that the airline could have faced.
GDPR allows for fines to be a maximum of 4% of an organisation’s global annual turnover. In the case of British Airways, their fine of £183m is estimated to equate to 1.5% of their global turnover for 2017. Looking at the figures, it would seem that both the scale and reaction time of the BA security breach have been regarded as critical factors determining the size of the fine.
In comparison to BA’s fine, Marriot’s fine of £99m was calculated at a higher percentage of approximately 3% global turnover most likely in part due to the slow reaction time in responding to the breach and correctly notifying the ICO and affected customers.
These warning shots fired at big businesses are perhaps just the start, as we see the initial hype around GDPR cool down, and the barrage of GDPR data consent emails subside, there is still a much larger challenge business faces and one which will require constant attention – security and accuracy. Consent seemed to be a big factor initially, but so far the real big stick seems to be around these far more challenging-to-solve considerations.
Businesses large and small must bear the burden of taking any measures necessary to protect the security of personal data. In doing so, maintaining the accuracy and relevance of data will mitigate risks from a variety of perspectives – not least in the judgemental eyes of the ICO.
Marriot, for example, may well have suffered a smaller fine had they been able to confidently and rapidly notify affected customers about the breach – assuming they could quickly detect it had occurred. It has been reported that so much duplicate data existed in the approximately 500 million customers records involved (30 million of which were understood to be Europeans) that a true understanding of the scale of the breach was unobtainable until several weeks after it was announced. This duplication and poor data quality further delayed their plans to notify those affected and cast further doubt on the organisation’s ability to store personal data in compliance with GDPR.
The fines are no doubt a huge deterrent in their own right, but reputational damage and the impact on customers (whose lives can be disrupted when personal details get into the wrong hands) is where the real damage lies in these data breaches. Prompt and accurate notification empowers those affected to make arrangements to protect themselves and puts them back in control. Similarly, it can give a business an opportunity to maintain a degree of trust among customers if it can confidently contact their customers with full details of what has been compromised. Tight security and effective control over all personal data (both at rest and in-flight) should prevent breaches happening, but an accurate and up-to-date single customer view can be a huge mitigating factor in rapid resolution if a breach does occur.
Getting a handle on the state of your data and whether your Single Customer View is accurate or not is no longer the preserve of blue-chip business or those with large in-house data teams. Did you know that with matchIT On Demand you can perform a GDPR data compliance audit on your customer data using the 14-day free trial? See how many duplicates you have that could be impacting your Single Customer View and screen against 3rd party data to establish deceased or gone aways – and even update addresses for home movers and correct them to Royal Mail standards. It’s self-service, no credit card required and there’s no obligation to purchase anything.