The good, the bad and the GDPR
Written by Peter Walker
The differing approaches to data breaches of British Airways and Equifax have been cited as best practice and a cautionary tale, respectively, under the General Data Protection Regulation (GDPR).
Speaking at the IP Expo conference in London today, OneTrust’s vice president of sales and business development Kevin Kiley said that while Equifax drip fed information which it turned out had been known for months - while senior executives sold company stock - British Airways immediately contacted affected customers and went public with the breach.
“The difference is in the speed of reporting, the amount of information given and the general transparency with individuals and the regulator,” he stated.
Equifax was fined £500,000 by the Information Commissioner’s Office (ICO) after the data of 15 million Britons was left exposed by a massive cyberattack.
When the breach was first uncovered in May last year, Equifax reported that fewer than 400,000 peoples’ sensitive data had been exposed, but later clarified that the total amount was nearly 700,000. In October the company said that a further 14.5 million records were exposed, but would not have put people at risk.
The ICO was unable to use the terms of the GDPR, which came into force in May this year to investigate the breach, and instead investigated under the terms of the UK Data Protection Act 1998, imposing he maximum fine.
Early last month, British Airways said it was investigating the theft of personal and financial data of 380,000 customers after hackers gained access to its website and mobile app.
It is not yet known what action the ICO will take, but Joanne Bone, a partner at law firm Irwin Mitchell, told delegates that the Equifax fine may signal the direction of travel for the regulator.
She noted that there has not yet been any definitive statement from the ICO on how it will treat cases that span the 25 May deadline, although the likelihood is that fines will be levied under the new regulation if problems continue past that date. Under GDPR, companies can be fined up to €20 million, or 4 per cent of annual global turnover – whichever is higher.
Bone sought to dispel some popular GDPR myths – that it would be akin to the anti-climactic Y2K bug hype, that Brexit would bring an end to it, and that the ICO had a hit list of companies to fine.
She pointed out that GDPR is designed to create cultural change, and this is just the beginning, but at the same time, the regulator is taking a measured approach to using its powers, despite a marked increase in complaints.
Information released under a Freedom of Information Request from law firm EMW showed that there were 6,281 complaints between 25 May and 3 July, a 160 per cent rise from just 2,417 complaints over the same period in 2017.
What Bone has noticed is the increase in consumers adding personal data requests in with product or service complaints to companies; “the idea being that the process will be so painful that companies will just give consumers what they want”. However, she noted that there has not yet been the expected rise in right to be forgotten requests.
When the UK exits the EU next March, GDPR will still apply, but Bone warned that the move will put Britain outside of the European Economic Area (EEA), meaning companies will “have to jump through additional hoops” to have data sent to them from other parts of Europe.
“This is going to create lots of supply chain problems and doesn’t seem to be on a lot of peoples’ radar,” she explained. “We could get what’s called an Adequacy Decision - if the authorities deem our data protection regime adequate - but these usually take three years to be granted, so we’ll have to hope a deal is done.”