,
6 tweets,
2 min read
Read on Twitter
I can't overstate the significance of this #GDPR British Airways fine (1.5% of worldwide turnover / £183m) for anyone in security, privacy or senior management. You've got to get security right, with appropriate levels for your organisation, else the fines can be career changing.
Some factoids:
- GDPR fines (amongst other things) are for inappropriate security as opposed to getting breached. Breaches are a good pointer but are not themselves actionable. So organisations need to implement security that is appropriate for their size, means, risk and need.
- GDPR fines (amongst other things) are for inappropriate security as opposed to getting breached. Breaches are a good pointer but are not themselves actionable. So organisations need to implement security that is appropriate for their size, means, risk and need.
- Security is an organisation's responsibility, whether you host IT yourself, outsource it or rely on someone else not getting hacked.
The GDPR has teeth against anyone that messes up security, but clearly action will be greatest where the human impact is most significant.
The GDPR has teeth against anyone that messes up security, but clearly action will be greatest where the human impact is most significant.
Here's what the regulator (@ICOnews) had to say 
- A big point here is that the UK regulator was the "least supervisory authority" in this BA/IAG case under the "one stop shop" GDPR principle. So there'll only be one enforcement (not one in each EU country) and this action covers all affected individuals in the EU.
- This case was somewhat unique in that the impact was on a large scale. A lot of people lost a lot of money very quickly, and indirectly a lot of people were defrauded by related phishing and fraud scams. The impact wasn't just risks that might occur later,it was real issues now
