A stark reminder of the rules: BA faces eye-watering GDPR fine

July 08, 2019
Written by Paul Hammersley

Paul has for many years been a remarkable technical force at EPI-USE Labs. As VP of the ALM Products, his portfolio includes System Landscape Optimization, and his hands-on experience of implementing Data Sync Manager and helping clients to manage data across the breadth of their SAP landscapes is unique. He has specialised knowledge about data security and how GDPR (the General Data Protection Regulation) impacts companies running SAP.


British Airways given £183 million fine for data breach – the first public GDPR fine in the UK

In the sunrise period for GDPR (the General Data Protection Regulation), it was a hot topic not just in the industry, but temporarily in the mainstream media as well. People with no interest in IT, never mind data security, were aware of the law and interested to see what was going to happen. A bit like how we all become Tennis aficionados for two weeks during Wimbledon. Since then, with (relatively speaking) small fines being issued which occurred under the old laws, the subject had left the mainstream again until today, with the news that the Information Commissioners Office (ICO) has handed down a fine of £183 million to British Airways (BA).

Information Commissioner Elizabeth Denham's stance is clear. In the announcement she says:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

A surprise? Not really

The reaction within the industry has not been one of massive surprise. A statement fine to a blue-chip company was widely expected. The fact that it hasn’t happened sooner was simply because of the time it takes for thorough investigations to run their course. The ICO was still processing so many cases which actually occurred before 25th May 2018. On the face of it, a fine 367 times bigger than the previous highest fine in the UK does seem eye-watering, but it could have been £500 million based on BA’s global revenue. Even in this detail, there has been the opportunity for the ICO to spell out the new rules of engagement to everyone looking on. It was a massive breach of personal data, therefore a big fine was likely, but it could have been much bigger. The ICO highlighted that BA had co-operated with the investigation and already taken measures already to improve security.

What else will we learn from this landmark case?

The existence of the BA breach has been known for some time, so this has been an eagerly awaited announcement. Just as eagerly awaited, though, is what happens next. An appeal is widely expected, but if that is unsuccessful, will there be a legal challenge? Or will one of the UK’s flagship brands pay the fine and focus on repairing the damage to its brand?

Data PrivacyRemoving data in SAP

This is of course why many organisations have chosen our Data Privacy suite for SAP. The key point: don’t keep real personal data in test and development systems where it isn’t needed. With an effective scrambling solution, you can have realistic data which is just as realistic, without any breach risk. And in Production systems, don’t keep the data any longer than you need to. Remove sensitive information or identifiers without having to archive.

Incidentally, in a non-SAP environment the concept of redaction was already challenged in Austria, with the local equivalent of the ICO finding that if the identity could not be reverse engineered, then this did uphold the Right to be Forgotten.




Explore Popular Tags

GDPR Data Privacy data security data secure data scrambling GDPR compliance POPI Act POPIA Data Sync Manager Data Redaction Right to be forgotten GDPR readiness General Data Protection Regulation SAP GDPR Data Archiving Data Redact GDPR deadline personal data sap Data privacy compliance SAP data privacy and compliance SAP systems SAR Subject Access Request CCPA European operations Federal Law May 2018 Right to Erasure anonymised data compliance test data management Access risk controls Australian Privacy Act 1988 Breach Notification Brexit Budget COVID-19 Canada data privacy legislation Client Sync Cloud migrations Consent DSM Data Portability Data privacy by design Data privacy regulations Documentation Europe Friday 25 May 2018 GDPR-type legislation GRC for SAP HCM HR ICO Information Commissioner’s Office Information transfer Infotype 41 Object Sync Penalties Privacy by Design Proportional Data Right to Access Risk management Risk monitoring S/4HANA Migrations SAP Data Security SAP S/4HANA SAP data SAP security Secure scrambled production data for testing Security Security for SAP. Live South African data privacy legislation Success Factors Territorial Scope UK Government Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy
+ See More

Get Instant Updates

Leave a Comment: