The first significant GDPR fine is here: British Airways is facing a fine of $230 million (~1.5% of their 2017 global revenue) in connection to a data breach last year that affected hundreds of thousands of people’s personal data.  

Under the new data protection rules enforced by GDPR, the UK Information Commissioner’s Office (ICO) can fine companies up to 4% of their global revenue if they’re found in violation of data privacy regulations.

Elizabeth Denham, Information Commissioner at the ICO stated that: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Announced a little over a year since GDPR came into effect, this proposed fine underscores the importance of data privacy in the enterprise: any company that collects customer data needs to protect and manage that data – or run the risk of regulatory penalties. 

Top takeaways:

•  It’s the type of data compromised that’s key.  In this instance, it’s not just PII – this breach compromised customer data from traveler names to credit card information to travel booking details.  Personal information (PI) extends beyond credit card numbers and addresses, and can be any data related to an individual – including names, travel booking details, and log in information.

•  Rapid response and due diligence is not enough to avoid penalties.  British Airways notified customers within days of detecting the cyberattack, with ongoing follow-up and monitoring to recover from the attack. A prompt response to a cyberattack is commendable, but doesn’t necessarily clear organizations of penalties once consumer data has been compromised.

•  A sign of things to come?  This record-breaking fine shows the ICO’s commitment to transparency in how the agency will communicate personal data privacy violations.  This degree of transparency could be a sign of things to come for how regulators act when making enforcement decisions so as to push enterprises to take serious efforts to protect consumer data.

Customer data privacy matters – now more than ever. What can organizations do to prepare for data privacy regulations?

1. Discover and identify all forms of personal data: organizations need to be able to identify all forms of PI (not just PII) across all data sources – from AWS to MySQL to Salesforce.

2. Correlate to a set of identities: leverage machine learning and analytics to build disparate data points into personal profiles to better map, understand, and appropriately protect customer data.

3. Compare known compromised PI from recent data leaks against your inventory and datasets to proactively respond and notify customers of potential breaches. 

BigID is positioned at the heart of the data privacy revolution that is changing the world, helping companies and consumers harness machine learning to protect personal information and meet global privacy mandates. Click here to set up a demo and see how BigID helps organizations transform their data privacy.