A stark reminder of the rules: BA faces eye-watering GDPR fine

July 08, 2019
Written by Paul Hammersley

Paul has for many years been a remarkable technical force at EPI-USE Labs. As SVP of the ALM Products, his portfolio includes System Landscape Optimization, and his hands-on experience of implementing Data Sync Manager and helping clients to manage data across the breadth of their SAP landscapes is unique. He has specialised knowledge about data security and how GDPR (the General Data Protection Regulation) impacts companies running SAP.


British Airways given £183 million fine for data breach – the first public GDPR fine in the UK

In the sunrise period for GDPR (the General Data Protection Regulation), it was a hot topic not just in the industry, but temporarily in the mainstream media as well. People with no interest in IT, never mind data security, were aware of the law and interested to see what was going to happen. A bit like how we all become Tennis aficionados for two weeks during Wimbledon. Since then, with (relatively speaking) small fines being issued which occurred under the old laws, the subject had left the mainstream again until today, with the news that the Information Commissioners Office (ICO) has handed down a fine of £183 million to British Airways (BA).

Information Commissioner Elizabeth Denham's stance is clear. In the announcement she says:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

A surprise? Not really

The reaction within the industry has not been one of massive surprise. A statement fine to a blue-chip company was widely expected. The fact that it hasn’t happened sooner was simply because of the time it takes for thorough investigations to run their course. The ICO was still processing so many cases which actually occurred before 25th May 2018. On the face of it, a fine 367 times bigger than the previous highest fine in the UK does seem eye-watering, but it could have been £500 million based on BA’s global revenue. Even in this detail, there has been the opportunity for the ICO to spell out the new rules of engagement to everyone looking on. It was a massive breach of personal data, therefore a big fine was likely, but it could have been much bigger. The ICO highlighted that BA had co-operated with the investigation and already taken measures already to improve security.

What else will we learn from this landmark case?

The existence of the BA breach has been known for some time, so this has been an eagerly awaited announcement. Just as eagerly awaited, though, is what happens next. An appeal is widely expected, but if that is unsuccessful, will there be a legal challenge? Or will one of the UK’s flagship brands pay the fine and focus on repairing the damage to its brand?

Data PrivacyRemoving data in SAP

This is of course why many organisations have chosen our Data Privacy suite for SAP. The key point: don’t keep real personal data in test and development systems where it isn’t needed. With an effective scrambling solution, you can have realistic data which is just as realistic, without any breach risk. And in Production systems, don’t keep the data any longer than you need to. Remove sensitive information or identifiers without having to archive.

Incidentally, in a non-SAP environment the concept of redaction was already challenged in Austria, with the local equivalent of the ICO finding that if the identity could not be reverse engineered, then this did uphold the Right to be Forgotten.




Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance data scrambling Data Redaction Data Redact General Data Protection Regulation POPI Act POPIA Data Archiving Data Sync Manager SAP GDPR Right to be forgotten SAP Data Security GDPR readiness SAP data privacy and compliance Data privacy compliance GDPR deadline Personal data SAP SAP security Data privacy regulations Access risk controls Data minimisation GRC for SAP SAP data privacy and security SAP systems compliance Access Risk management COVID-19 Data privacy by design Data security breaches Governance, Risk Management and Compliance (GRC) Risk monitoring SAR Subject Access Request Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation SAP data SAP data copying and masking Soterion Test Data Management anonymised data security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Privacy suite Data Removal Data Replication Data integrity Data masking Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Risk management S/4HANA Migrations S4HANA SAP Data Privacy Suite SAP S/4HANA SAP access risk simulations SAP data encryption SAP data privacy & security SIEM SOX Sarbanes-Oxley (SOX) legislation Secure scrambled production data for testing Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates

Leave a Comment: