Last Friday, the green light was given for British Airways customers to bring a class-action against the airline over its 2018 data security breach.
This wasn’t really a surprise, but it now means that, in addition to facing a fine of over £183 million, British Airways now also faces a substantial compensation payout (it is estimated that around 500,000 customers were affected by the data breach).
Importantly, the GDPR makes it clear that, in addition to being able to claim for financial losses (such as losses resulting from fraudulent transactions), individuals who are affected by a data breach can also bring claims for ‘non-material loss’. This includes psychological damage or distress.
It is yet to be seen how the claimants’ lawyers will go about proving that psychological damage or distress has been suffered by their clients. However, if they are able to meet the requisite burden of proof, this will greatly increase British Airways’ compensation bill. It will also make it more likely that we will see similar class actions in the future.
The eventual financial repercussions for British Airways – taking into account both the fine and compensation payments – are likely to be at the top end of the scale. Nevertheless, all organisations should very much view British Airways’ fate as a cautionary tale.
When commenting on the British Airways’ fine, Elizabeth Denham, the Information Commissioner, stated that “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
As a result, no matter what the size of your organisation, compliance with your security obligations under the GDPR is not something you can afford to ignore.
If you’d like more information about the compliance obligations under the GDPR relating to the security of personal data, please don’t hesitate to contact a member of our Information Law Team.
RELATED: BRITISH AIRWAYS FACES £183M FINE FOR DATA BREACHEXPERTISE - GDPR