Following last week’s update to the Privacy and Electronic Communications Regulations (PECR) from the Information Commissioner’s Office (ICO), the UK body has issued its first big fine to British Airways (BA) for a record fine of £183 million for last year’s data breach of its security systems which saw the theft of almost 500,000 customers personal data and information from its website.

The incident was first disclosed on 6 September 2018 where the airline had initially commented approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.

The ICO has now proposed a penalty of £183.4 million, or 1.5% of British Airways’ 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline. This is the largest fine the UK body has put forward since the PECR changes.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience,” said the Information Commissioner Elizabeth Denham.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

BA’s chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty adding the airline “responded quickly to a criminal act to steal customers’ data”.

Why is this a big issue?

The potential fine represents one of the first under the regulations that have gone over the previous maximum of £500k – GDPR allowing for up to 4% of global turnover or €20m. Add this to the PECR updates and it’s fair to say that awareness is more important now than ever when it comes to handling consumer personal data online.

“This is the first fine the ICO has announced under the new GDPR laws and the level of the proposed fine is unprecedented in the UK, highlighting the importance all businesses should place on the security of customers’ data,” said Rachel Aldighieri, MD of the Data & Marketing Association. 

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers.”

Another report has surfaced that the ICO is set to impose a £99 million fine on international hotel chain Marriott for a data breach which occurred in November 2018

Cookies, consent and legitimate interest

Today’s headlines have also brought the attention of cookies and tracking personal data, something that’s been discussed on PerformanceIN on several occasions but even more so than ever, which under the GDPR regulation, counts as within the definition of personal data.

As part of the ICO guidelines on cookies and processing data, if the cookies require consent under PECR, you cannot use one of the alternative lawful bases from the GDPR to set them.

“If the cookies you set aren’t exempt from Regulation 6, then you can only use consent – and this must be of the GDPR standard. This is also the case whether or not personal data is involved,” the ICO outlined in its guidelines.

“You should also be aware that European data protection authorities, including the ICO, have previously stated that, in certain cases, the processing of personal data that follows (or depend on) the setting of cookies is highly likely to require consent as its lawful basis.”

Since the role out of GDPR last year, the affiliate marketing industry has positioned itself accordingly to deal with the impact of GDPR and handling personal data, particularly around cookies and consent. Networks such as Webgains and Tradedoubler are currently in the position of data processors using consent as a legal basis and Awin and CJ Affiliate as joint controllers using legitimate interest as a legal basis.

“Any guidance that helps to clear the opacity and grey areas around privacy compliant affiliate marketing operations is welcomed,” said Webgains CEO Richard Dennys; 

“This particular update from the ICO is in line with our expectations and original understanding of the GDPR regulations, to which we have now spent over two years updating our tracking methods, our contractual agreements with advertisers and our publisher terms across the whole Webgains estate across the world.”

What are your thoughts on the consent of personal data, the latest PECR changes and the ICO’s proposed record fine to the BA on last year’s data breach? Let us know in the comments below.