NOTE: This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
A record $230 million GDPR fine against International Airlines Group—the parent company of British Airways—was announced today by the U.K.’s Information Commissioner’s Office (ICO). The fine stems from the airline’s massive data breach last year, which exposed the records of more than 500,000 customers who made payments through the company’s website and mobile app.
The tentative fine announced today equals 1.5% of British Airways’ total revenue for 2018 and is more than quadruple Google’s $57 million fine earlier this year (imposed by France’s CNIL regulatory body). Depending on the violation, GDPR fines can reach a maximum of 20 million euros or 4% of a company’s gross revenue, whichever is higher.
Update: The ICO announced July 9 a second major GDPR fine in as many days, this time declaring its intention to fine Marriott International $123 million for its 2018 data breach. The breach affected roughly 339 million guest accounts including highly sensitive information such as passport numbers. Clearly, the ICO is seeking to make a statement with these successive fines, leaving open the possibility for additional announcements in the coming days.
The General Data Protection Regulation (GDPR) is designed to protect the online data of EU internet users, as well as those in the European Economic Area (EEA). All companies are subject to GDPR if processing relevant data.
GDPR recently had its one year anniversary; it went into effect May 25, 2018. The regulation has since inspired countless other global data protection laws, such as Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA).
U.S. public still not familiar with GDPR
Despite record fines and worldwide proliferation of data protection regulations, a recent GetApp survey found that 54% of U.S. respondents had no familiarity with GDPR. Even more concerning? More than one-third (34%) of IT professionals surveyed also indicated no familiarity with the influential regulation.
This is a problem all U.S. companies must address and rectify to ensure compliance with not only GDPR but also the very similar CCPA requirements. The latter will go into effect six months from now (Jan. 1, 2020) and will hit domestic companies much closer to home.
What your business needs to do about it
Though your company might not face a $230 million fine, you simply can’t continue conducting business as usual in this environment.
If you’re feeling overwhelmed or have put off getting to know the rapidly expanding universe of data privacy regulations, read our primer to familiarize yourself with GDPR, CCPA, and other relevant data protection laws.
NOTE: The data security survey referenced in this article was conducted by GetApp in June, 2019, among 714 respondents who reported full-time employment in the United States. 207 of the 714 respondents identified as IT professionals.