British Airways has just been levied the highest fine to date for data protection breaches by the UK’s GDPR regulator the ICO. A total of £183m or 1.5 % of their £11.6 billion revenue last year. Their ruling stated, BA had poor security arrangements in place to protect customer information being accessed.
This ICO GDPR fine confirms predictions that data protection agencies in Europe will not hold back in enforcing the regulation. The ICO for example, have increased internal resources and will investigate complaints. The intention is clear that they will issue a GDPR fine if appropriate.
This incident begs the question – how seriously did BA take data protection? Data protection compliance is not just for the big tech companies like Google, Uber and Facebook. GDPR compliance covers any business that stores sensitive customer data.
Supplier GDPR compliance
If your company stores customer personal data, ask yourself, is your SaaS Supplier GDPR-Compliant?
All organisations big and small around the globe that process any personal data about citizens in the EU should take serious action to comply. This includes non-EU organisations as this fine demonstrates. To ensure compliance, audits will need to be conducted on how all personal data is processed. Historically and in the future.
Before entering into a contract with a Software as a Service (SaaS) supplier, you should consider what steps they are taking to meet the standards set out by the GDPR. What information security management system do they have in place to ensure they are compliant with government cloud implementation standards? Do you know if you have rights to delete your customers’ stored data if they demand it? Can you easily find that user data and send it to them in a suitable format? Is the data centre that stores your personal data accredited to ISO 27001?
Processors and controllers
The GDPR requires the controller – the company – to sign a data processing agreement with the processor – the cloud provider – which stipulates a number of obligations such as:
- only acting on the instructions of the controller,
- taking adequate security measures to protect you from data loss,
- assisting in responses to requests for data,
- removing traces of data after the termination of service.
Similarly, the company is also required to meet the obligations set out by the GDPR. This means they must be able to demonstrate what processes are implemented to guarantee data protection and compliance.
The processor is liable for any damages relating to poor compliance which includes acting against the controller’s wishes or data breaches caused by the processor. However, you, the company, also must take responsibility for the actions of the processor. This means you should take care when engaging with a supplier that has little to no track record or a history of negligence.
It is important to always check the Terms and Conditions. Most cloud providers provide services on the basis of terms and conditions which do not meet the strict requirements set out by the GDPR. Unfortunately they are often non-negotiable. If this is the case you need to change suppliers.