What SMEs can learn from the BA data breach

When British Airways hit the headlines for all the wrong reasons this week, thanks to news of an impending £183 million fine for last year’s massive data breach, it showed in several ways why it’s more important than ever to take good care of your data.

Firstly, of course, the Information Commissioner’s Office (ICO) demonstrated that it’s serious about applying GDPR and willing to levy record penalties where organisations have clearly been complacent about managing third-party data and handling breaches.

And, if you run a smaller business, don’t think this can’t affect you. As Kim Bradford, Managing Consultant at Sphere Data Protection, points out, “GDPR applies to any business that processes people’s personal data, so SMEs are subject to exactly the same rules and penalties as larger enterprises.” That can mean fines of up to 4% of your annual turnover if you are found to be fundamentally in breach of data protection law.

But secondly – and probably more importantly – is the threat of reputational damage when anyone whose data you hold finds out you haven’t been protecting it adequately. And that can amount to a lot of people, such as past, present and potential customers, as well as suppliers, partners and more. “The negative impact on businesses, when they’re all of sudden shown to not be very careful with people’s personal data, can be massive,” says Kim. “That’s something you really should sit up and pay attention to. Consumers will vote with their feet – particularly if, like BA did at first, you act defensively and try to downplay the seriousness of what happened.”

She likens it to a bank having its physical security breached. “If you purchased a box in the vault of a bank and you put a priceless diamond necklace in there, but the bank was broken into and the necklace was stolen, you’d ask how the thieves got in. If you found out there was nobody on guard that day, or if the bank had left the doors open, you’d be horrified, as you’d have assumed you could trust the bank to keep your possessions safe. And it’s no different with people’s personal data.”

This is why it’s vital to ensure you’re managing – and protecting – your customer data according to current best practice, says Tim Chisnall, Cognition24’s Business Director. And underpinning this, it really helps to have the right technology solutions in place, alongside the right company procedures. “We’re seeing an increasing demand for solutions that can record your compliance landscape and any incidents that may breach GDPR rules, to prove to the ICO that you are fully compliant,” he says.

Managing a breach

What can you do if the worst does happen and you find there’s been a breach of your customers’ data? Kim’s advises the following:

  • If it’s a serious breach – that is, it’s likely to impact negatively on the rights and freedoms of the individuals whose data has been breached – then you must alert the ICO within 72 hours (even if it’s a weekend or public holiday).
  • If you’re not sure how serious the breach is, it’s probably best to alert the ICO anyway to be on the safe side. You can do this by calling, emailing, filling out an online form or using their webchat, and the people working there are usually helpful.
  • Show genuine empathy for the people whose data has been compromised and do everything you can to smooth things over with them. This could include: being fully transparent about what happened; issuing regular updates; and publishing sensible advice such as changing passwords, alerting your bank, going to Action Fraud and so on.

This latter point, says Kim, is something that most businesses fundamentally fail to do in the panic of discovering a data breach. “They forget to put themselves in the data subjects’ shoes, and this only ends up making things worse for them from a reputational perspective,” she says. “It’s about following the basic principles of good customer service. You should take every opportunity to live and breathe your brand and inject it into every single touchpoint that you have with the public – and this should particularly be the case when things go wrong.”

Want to be sure you’re doing the right thing?

If you’re feeling uncertain about whether the data you hold is adequately protected, or what to do if it’s not, it’s important to seek good advice. Get in touch with Tim and he’d be happy to discuss the steps you can take to avoid ending up in the same situation as BA.