5 Lessons from the Record GDPR Fine Against British Airways

The data privacy world looked to be focused on the California Consumer Privacy Act (CCPA) for the next few months as preparations are ramping up ahead of the January 1, 2020 compliance deadline and Congress hasn’t found momentum behind a federal privacy bill that includes preemption. However, the GDPR reasserted itself today as the world’s most important privacy law of 2019.

The proposed 183 million GBP fine (~$230 million USD) under GDPR by the UK ICO against British Airways and its parent company for a data breach last year has made clear that companies need to remain vigilant regarding their GDPR compliance efforts. The notice of intent to issue a GDPR fine would quadruple the largest fine issued to date under the EU’s data protection law, the $57 million USD fine against Google for the privacy practices of its Android operating system issued by France’s CNIL which was announced in January.

There have been a number of surveys of business executives and compliance professionals taken since May of last year when GDPR went into effect and many indicated doubts in the strength of their privacy compliance program. If you are at an organization that needs to make improvements in data privacy, now is the time! Today’s fine makes clear that noncompliance is not an option.

What are the lessons from British Airways? Here are the five that are on the top of our mind:

1. Any GDPR grace period is over.

Last year, there was a lot of discussion about how the data protection authorities had not issued a large fine yet under GDPR. This led some to start to speculate that the hype about substantial fines leading up to May 25th was mistaken. Today’s proposed fine against British Airways has put to rest any speculation that the millions of dollars companies spent on compliance efforts was unnecessary.

The DPAs also appeared to give several companies last year the opportunity to correct their mistakes without issuing a fine. These decisions led some to speculate that there was a grace period. While EU privacy regulators indicated that substantial fines were coming this year, the announcement this morning was still eye opening. If a fine of this size can be issued for a breach disclosed only three months after GDPR went into effect, then the grace period debate has been put to rest.

2. Maximum fines are coming under GDPR – fast!

The data breach against British Airways was on the smaller side compared to many other data breaches last year. It only implicated the personal information of around 500,000 people, and British Airways has said that there has been no evidence of financial fraud as a result of it. There were at least twenty data breaches at other companies revealed during 2018 that exceeded it in size, including several that involved more than ten million records. If this data breach warranted a fine of 1.5 percent of global annual revenue, then larger fines up to the maximum of 4 percent of annual global revenue will be coming sooner than many expected.

3. Big GDPR fines will not be limited to social media and tech companies.

Tech and social media have been the focus of data privacy issues for the last year. After the Cambridge Analytica scandal, politicians, regulators and the public honed in on the use of personal data by tech companies. Yet, while Google may have been the first big company to be fined, an airline now holds the record for the largest fine announced to date by the data protection authorities. Organizations that have been expecting to stay under the radar while data protection authorities target tech companies need to quickly reevaluate their assumptions.

4. There is substantial risk to the “wait and see” benchmarking approach.

With some companies spending more than $10 million to get ready for the new EU privacy law, others decided to take a wait and see approach that maintains parity with other companies in their industry. It may have been a rational response at the time given some of the questions around GDPR enforcement and the costs of compliance, but the risks of a substantial fine are now far too great to continue it. Companies that have been focused solely on staying even with their competitors need to stop benchmarking and put their maximum efforts behind protecting data privacy.

5. Financial penalties will hit shareholders.

The impact of data privacy scandals on the finances of companies continues. After the announcement by the parent company of British Airways, the stock of International Airlines Group (IAG) on the London Stock Exchange fell 1.36% today to close at 450.30. At its low point during the session, it traded down to 447.80. The one day cost to shareholders was more than 100 million pounds from the market capitalization of the company, and the negative publicity may ultimately cost it more. Although it was nowhere near the approximately $100 billion erased from Facebook’s shareholder value on two separate occasions, stock drops continue to demonstrate the importance of avoiding data privacy scandals for companies.