The true cost of GDPR?11-09-2018
It’s fair to say that most organisations have been on their toes since the introduction of the new General Data Protection Regulation (GDPR) in May this year.
Mention of GDP-arrgh!, as some have dubbed it, is frequently accompanied by a little sigh by businesses and other organisations, big and small, at the thought of the hoops they’ve had to jump through to manage and protect their customers’ data effectively. However, most consumers have little patience with such complaining, and have welcomed the return of control over their information, to them.
But just how much of a risk are these strict new rules to organisations storing and using customer data?
If ever there was a salutary lesson, it’s that of British Airways (BA). It became the latest, high-profile casualty of a ‘sophisticated, malicious criminal attack’ – in the words of its Chief Executive Alex Cruz – earlier this month. The same group responsible for a similar attack on bookings site Ticketmaster, used software to ‘skim’ customers financial details including bank card numbers, expiry dates and CVC codes from BA’s web and mobile app screens during the booking or booking amendment process. The attack affected an estimated 380,000 BA customer transactions.
And, although BA was quick to respond – reporting the breach within a day, faster than the statutory requirement of three and promising to compensate every customer, backed by an unreserved apology – it faces making history with the biggest GDPR-related fine to date.
Potential fines stand at a maximum of £10 million or two per cent of turnover for less serious breaches, up to a maximum of £20 million or four per cent of turnover, for the most drastic. For BA, this could mean a hit of £500 million or, if its parent company International Airlines Group is implicated, much more. It also faces a consumer legal class action which itself could cost the firm more than £500 million, from a national law firm claiming grounds on the basis of non-material (stress and emotional) damage caused to the customers affected.
If these astonishing figures have you worried, you’re not alone. See below for a summary of what you need to have done to avoid sanctions – and the less-well-publicised traps you need to watch out for.
GDPR: what you should have done by now
If you haven’t covered these off already within your organisation, we would strongly advise tackling without delay:
- Be clear what information you hold on your customers, only keep data you have good reason to and ensure you could provide it to your customers as soon as possible within 1 month of request;
- Ensure that you store that data securely, both in terms of your network storage systems but also emailing and sending it securely (encrypted or via a secure drive is best as email attachments are always vulnerable); and locking down/encrypting any hardware you use, from your laptop to portable drives;
- Only communicate with your customers in the ways, and for the purposes, they have given you permission for. For example, if you want to email, write to or phone them for any other than an express business reason (marketing, for example), make sure you have gathered and recorded their express go-ahead for doing so;
- Never share your customers’ information with any third parties without their clear, prior permission.
Hidden ‘catches’ highlighted by the BA case
GDPR makes it considerably easier for individuals to bring private claims against ‘data controllers and processors’ (businesses and other organisations serving members of the public). In particular:
- Anyone who has suffered ‘material or non-material damage’ as a result of a breach of GDPR has the right to receive compensation (Article 82(1)) from the controller or processor (you). The reference to ‘non-material’ damage means that individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove that they’ve incurred a financial loss as a result;
- ‘Data subjects’, or customers/users, have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf (Article 80). Although this falls someway short of a United States-style class action right, it certainly increases the risk of group privacy claims against consumer businesses, as in the case of BA. Employee group actions are also more likely under GDPR.
- Individuals also have the right to lodge a complaint with the Information Commissioner’s Office (Article 77).
- At the same time, individuals, data controllers and processors, have the right to legally challenge a decision made by a supervisory authority concerning them if they don’t agree with it, or indeed if the organisation fails to make a decision (Article 78).