This morning news has started to come out providing details of one of the first significant data breaches to be reported under the General Data Protection Regulation (GDPR) since its coming in to force in May this year.
Reports state that customer data has been compromised by a sophisticated criminal attack between 21 August and 5 September this year. Personal data involved includes names, addresses and credit card details. BA have already gone public, have contacted affected customers and appear to be actively managing the fallout from the breach. While this makes good sense from a public relation standpoint, their rapid response is also driven by one of the key features brought in by GDPR, data breach reporting.
Under GDPR, those in control of personal data have strict timescales for reporting serious data breaches to the Information Commissioner's Office (ICO) as well as, under certain circumstances, to the individuals whose personal data has been compromised. For data breaches that are likely to result in a risk to the rights and freedoms of individuals, breaches must be reported without undue delay to the:
- ICO, where feasible not later than 72 hours after having become aware of it. If this time frame is missed explanation is required; and
- individuals affected (unless an exception applies).
While the public relations impact of this breach will effect customer trust and BA's reputation, complying with breach reporting requirements should make BA's engagement with the ICO less painful than if they have failed to comply with such requirements.
Now that the ICO is aware of the breach some form of investigation is likely. Any resulting sanction on BA is likely to be driven by the following considerations:
- Did they handle the personal data in a manner that ensured appropriate security?
- Is their approach to data protection up to the standard required by data protection legislation given the personal data that they handle?
- How they handle the breach including complying with required reporting requirements.
These considerations apply to any organisation that processes personal data and this breach may act as a reminder that the hot topic of data protection did not go away following GDPR coming it to force.
Data breach reporting has brought a new angle to how organisations handle data breaches however not all data breaches need to be reported. Given the timescales required, the time it may take to identify the nature of a breach and whether it is reportable, having clear policies, procedures and reporting lines avoids confusion, enables reportable breaches to be correctly identified, and mitigates the publicity and regulatory fallout of a muddled or non-compliant approach. Being prepared to handle a breach involves identifying people within your organisation who have responsibility for data protection, ensuring employees know the importance of reporting a breach, setting out key criteria for decision making and keeping a record not just of reportable breaches but also of non-reportable breaches with your justification for not reporting.
Having such a process in place is a clear indication of your organisation taking data protection seriously. In the light of today's breach organisations should ask themselves whether they know what they would do if they identified a breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.