For those of us that work in IT, it seemed that barely a day passed in the first five months of 2018 without someone mentioning the dreaded GDPR.
Businesses, both large and small, spent so much time ensuring that when the new legislation came in, they had their data in order.
With fines of up to 4% of annual revenues, it makes financial sense to do so, notwithstanding that businesses that hold our personal data really should be adhering to best practices anyway.
Despite this, there was always an inevitability that some businesses wouldn’t meet all the required data security standards. And there would be a breach, a loss or an act that would see a name we all knew and recognised holding up their hands and stating “we’ve been hacked”.
Enter British Airways (BA).
One of the UK’s most iconic brands suffered a breach and data theft on a colossal scale, with some 480,000 personal records stolen.
Naturally, the BA PR machine has been in overdrive in an attempt to make it look like it’s the bad guys we should be annoyed with.
And of course, they are correct – to a degree.
You wouldn’t blame an individual for being burgled, you blame the burglars. But it’s not quite as straightforward as that. Such large corporates, with so much valuable personal data, are aware that they are key targets and so blaming the bad guys is not really a great defence. The security teams have to do better, be more aware, be smarter.
The Information Commissioner’s Office (ICO) will now look into this case knowing that GDPR has raised the conversation. And, 4% of annual revenues for BA is an eye-watering £489m, which means there could be quite a fine waiting in the wings for the disgraced airline business.
But it’s also the reputational damage to the brand that will be costly. BA was once one of the most revered brands in the aviation industry. However, trust in the brand has been slipping for some time, making incidents like this even more costly than the financial fine alone.
So where does this leave the executives and those responsible for IT?
Well, ultimately the CEO has to take responsibility and we saw last month with the demise of Paul Pester at TSB, that that can render their position untenable. It will be interesting to see how this plays out from an ICO perspective, and whether BA’s senior executives survive and what it means for the brand.
It’s just another reminder of the vital role that technology plays in today’s businesses. We all have little choice than to provide our personal details to an array of organisations and then trust that it will be kept safe.
Boardrooms across the world need to take note and executive teams need to appreciate that failing to plan and invest in technology can lead to catastrophic outcomes and make customers question whether their trust and business should be placed elsewhere.