Originally Posted by
plunet
I lodged a SAR (subject access request) to the BA DPO (data protection officer) back in mid September which by law has to be responded to within 30 days. I chased it at the end of October only for BA to acknowledge that there were delays and a backlog of work in the data protection office, gave no timescales for my SAR to be answered, but commented that the ICO (information commissioner's office) were aware.
I then reported this to the ICO as a formal complaint against BA as they had not responded within the statutory 30 day timescale at the start of November. After chasing the ICO this weekend it transpires that they also have a backlog of casework and they are currently processing cases logged at the end of August.
BA don't care. They could easily have put more resources into their DPO operation and made them productive by now.
And the ICO is underresourced and probably won't get to my case until the new year.
Lovely.
I’m not one to normally jump to BA’s defence, but faced with one (possibly more?) major cyber breaches and faced with scarce resources, I’m not sure I’d be prioritising SARs right now, legal obligation or not.
The nature of cyber risk is that you need to run very fast to stand still as the threat landscape evolves so quickly. So this isn’t a case of remediating the known breach and sit back, there are a million and one other potential threats out there, exacerbated because because BA will now be perceived as a laggard and will attract more attention.
At a more general level, I’m somewhat surprised at the expectations from many on this thread. You know enough about BA’s IT issues over the last few years (cyber and garden variety resilience), you know they are in cost cutting mode, you know their customer comms are cookie cutter copy paste nonsense......what did you really expect and more pertinently, why are you expecting them to turn on a sixpence and almost overnight issue personalised customer communications etc. etc.?!