But what exactly were they found guilty of, how was the amount of fine calculated, and are more fines on the way for other companies?
Subjects covered include the BA and Marriott cases, as well as how organisations can ensure they don’t fall foul of GDPR requirements. Measures covered include identification, mapping and classification of data, how to store data and dispose of it securely, plus GDPR’s stipulations over the “secondary use” of data.
Antony Adshead: What was the background to the recent GDPR fines for BA and Marriott?
Mathieu Gorge: The ICO [Information Commissioner’s Office] in the UK has used its powers to issue fines against Marriott and British Airways.
The one with BA has got a lot of [media] traction right now because of the size of the fine, which is in the region of £180m, or equal to 1.5% of global revenue.
If you remember, GDPR is able to issue fines of up to 4% of global revenue, so from that perspective, it’s kind of clear that the ICO is making an example of those two organisations. We do know there are going to be appeals from both organisations with a view to having them reduced.
What is interesting about both fines is that they both relate to credit card breaches – issues where credit card data was not handled the right way and ended up being stolen and [there were] major disruptions for consumers and for business partners and the organisations themselves.
This raises the issue of compliance with PCI-DSS [Payment Card Industry Data Security Standard], and whether PCI-DSS is now a fully legal obligation from a GDPR perspective. From a security practitioner perspective, this makes complete sense because credit card data is personal data under GDPR.
What is also interesting is that the ICO in the UK, the Office of the Data Protection Commissioner in Ireland and the CNIL in France have majorly increased their number of staff in the last two years.
Therefore they are all preparing for similar fines, so the message is that we need to pay attention to these fines, to understand how they work, how they can be appealed (if at all) and the what the fine is likely to be, because that has major implications for your compliance budget to prepare for GDPR.
Adshead: In the light of these fines, how can firms prepare themselves and what are the implications for storage and compliance?
Gorge: From a storage and compliance perspective, it is obviously a requirement to map out the data that you process, store or transmit. So, to do that, you need to identify the type of personal data.
If I go back to the BA and Marriott issues, it was credit card data, but if you look at issues with the NHS, it would be protected health information. If you look at any type of compliance outside of the EU, for example the CCPA [California Consumer Privacy Act], you’re looking at any kind of data pertaining to specific citizens in California.
So, once you have all your data mapped out and identified, you need to understand if you have the right levels of consent, how you store that data, and whether it is done in a GDPR compliance manner.
Remember, GDPR states you must take “appropriate security measures” to protest the data from a technical perspective, but also from a training perspective. Users need to understand where they fit in as a data processor or data controller and also there is the aspect of disposing of the data once you no longer need it.
One of the key things right now that is getting a lot of focus is the issue of secondary use of the data. Let’s assume you did get the data legally, to be GDPR-compliant you are only allowed it for a specific purpose.
So, if you want to use the data for a second purpose, you need to go back to the person whose data is being processed, and therefore there is another process to go through to ensure you use the data the right way and the citizens know their data is being used for a secondary purpose.
Good data storage can help you be compliant, not just with PCI, as in the case of Marriott and BA, but also with GDPR altogether.
It is worth noting that if you don’t know where to start, PCI-DSS is a very good framework to start with. While it is designed for credit card data, it is extremely prescriptive, whereas GDPR is still open to interpretation.
My guess is that lawyers for BA and Marriott will argue that they had taken appropriate security measures, or had taken as many as they could at the time of the breach.
So, it will be interesting to see how this plays out. My guess is that we will see a few more big fines from the ICO, the Irish Data Protection Office and the CNIL between now and the end of 2019.