Originally Posted by
msm2000uk
My sister received an email recently with someone elses booking details etc.
She, working for a large retail family, advised BA of the following:
This is I believe a data privacy breach. Given GDPR regulation is coming into force May 2018 I would think BA would already have this sort of major privacy breach fixed. If GDPR was already in force I do believe BA may be liable for a fine of EU20M or 4% annual turn over.
She is waiting to see what their response is.
M
GDPR is irrelevant until it comes into force in another 12 months, although your sister may have wished to show off her knowledge of GDPR as evident by the pointless stating of the maximum fine which is actually even after the regulations come into force unlikely to be applied in this case- see Articles 83 and additionally articles 101 and 102 of the TFEU.
The reason why the legislation doesn't come into force until next year is to allow organisations to meet their obligations within the regulations. BA are required to comply with current legislation and therefore DPA is far more relevant in this case. The ICO has issued fines to airlines for DPA breeches, for example, a month ago announced a £70k fine to BE for marketing to 3.3million people without marketing consent.
The ICO has issued a lot of guidance about the new regulations. The breach would only need to be notified if it was Serious and High Risk, indeed the new regulations remove the need to report a lot of the breaches that are currently reported under the DPA.