If there is any business still in doubt about how important it is to comply with data protection legislation that business certainly is not British Airways.
The company was yesterday handed a record fine of £183 million for last year’s breach of its security system which lead to a loss of customers’ personal data including payment card details.
The company was a victim of what it described as a “sophisticated, malicious criminal attack” and intends to appeal the fine.
The proposed fine smashed the previous record fine of £500,000 set by Facebook for its part in the Cambridge Analytica scandal. This however occurred under earlier legislation and before the maximum level of fines was increased to up to 4% of annual turnover.
On that basis the maximum level of fine which might have been imposed on a company of BA’s turnover would have been around £500 million.
In another case, the Information Commissioner’s Office has also fined mobile network EE £100,000 for sending text messages including marketing material to customers last year.
This case is noteworthy not so much for the level of the fine, but because it highlights the difficulty of ensuring compliance in this common and important area of business practice.
The relevant law is set out under the GDPR and also under the Privacy and Electronic Communications Regulations and the rules, in particular relating to the nature of the consent required to send such messages, is highly complex.
Relevant factors include whether the recipient of the message is a business or consumer, the history of the relationship with the customer and the form of the communication.
As these cases indicate, any business which is unsure as to its compliance with data protection law should take advice.
For help or advice on this or other related data protection matters, please contact us on 08081668860.
|