£183m for BA – under the GDPR. £0.5m for Facebook – under the old DPA 1998.
The difference between the previous maximum fine and the headlines on BA’s GDPR fine are startling.
The first point: BA has only been issued with a “Notice of Intent.” This is the ICO’s initial finding and proposed level of fine.
But even if BA manage to provide more information and detail to alter the ICO’s initial findings and – for example, half the fine to £90m – this would be a game-changing amount.
And we still do not yet know the full detail of the case, or the rationale and justification the ICO is using in support of the level of fine.
Information Security and the GDPR
It is likely that most organisations will not be targeted in the sophisticated way BA was.
But the key learning points are not so much around IT.
Yes, the security and technical aspects of the breach are important: the literal interpretation of what BA could have done to reduce the risk is that you need to security test every third-party plug-in update. The overhead is mind boggling.
But as important and (historically underdeveloped) are having a documented, informed, risk-based answer to the question “should we invest £xxx on undertaking such security tests and if not, what is our rationale for not doing them?”
The critical take away from the BA breach is therefore more around governance and accountability of Information Security decision making:
- Can you demonstrate how you meet the requirements of Articles (5)(1)(f) and 32 of the GDPR?
- Have you the processes and documentation to prove there was informed, risk-based decision making around which security to deploy and how much to spend?
The GDPR helpful states you must
- “ensure a level of security appropriate to the risk”
- using “appropriate technical and organisational measures”
- by considering
- the state of the art (e.g. current industry standards)
- the cost of implementation
- the nature, scope, context and purposes of processing (e.g. which data is being handled? Why? Whose data is it?)
- Risk of varying likelihood and severity for people’s rights and freedoms (e.g. what impact could a breach have on people?)
The GDPR also makes clear that “risk should be evaluated on the basis of an objective assessment” (Recital 76) and provides example risks to individuals Data Subjects (Recital 75).
The key actions
- Review your process for deciding which information security to deploy and how effective they are
- Ensure you can demonstrate a risk-based approach to evaluating information security risk.
Protecture can advise and assist with remedial and preventative measures to reduce the risks you face from both a technical (IT security) and organisational (process and documentation) perspective. Call us on 020 3691 5731, email firstname.lastname@example.org or fill out our contact form here.