GDPR mandates a ‘baseline set of standards for companies that handle EU citizens’ data, to better safeguard the processing and movement of citizens’ personal data’. AKA keeping you and your information safer in a world of increasing hack attacks, identity theft and data breaching. So now:
There’s more to it, but you get the idea. This new law is a seeming pain in the butt for businesses and companies worldwide who operate, trade and engage with EU citizens, as non-compliance with new privacy laws can result in some head-spinning, earth-shattering and business-busting fines & penalties. Witness BA right now.
How much?
The law states that a company can be charged up to 4% of annual turnover, or €20 million (whichever is greater) for a single data breach, dependent on its scale and severity. Particularly for larger companies, you’re looking at business end of tens of millions of dollars, and that doesn’t cover the wider business impacts, including loss of public trust and brand reputation. All for a problem that could readily be avoided, with the right processes and tools. In Facebook’s 2014 case, this metric would translate to up to £1.4 Billion. For British Airways, this was a tasty £183 million, equating to 1.5% their 2018 revenue.
The airline, owned by IAG, states that it is ‘surprised and disappointed’ by the penalty from the ICO, as shares dropped as much as 1.95% in early trading as the news was announced. The fine landed the same day as the airline opened communication with its pilots, ‘in an effort to avert a potentially damaging summer strike’ (‘Isn’t it ironic’ plays softly in the distance). An analyst at Hargreaves Lansdown noted that the fine would make ‘a pretty big dent’ in IAG’s financial performance. Understatement mastered.
Lessons to learn
Whether it is ICO’s intention to make an example of British Airways and discourage others from becoming apathetic about adequate data management, there are some clear pointers we can all take from BA’s mistake.
Better safe than bankrupt.