British Airlines may be fined on over $200,000,000 for data breach and that is why businesses shall re-think their practice.

Friday, July 18th, 2019

By Vanessa Dias

Last year, British Airlines was attacked by hackers that stole information from over 500,000 of its passengers. The company reported the breach as soon as it had notice, but informed at first that only 380,000 passengers were affected. The month delay to report all the affected passengers may cause the proposed record fine.

The General Data Protection Regulation (GDPR) from European Union entered in force last year, but most business still do not understand its importance. Unlike most may think, the GDPR does not affect exclusively European business, but any business in the world that collect data from subjects in Europe.

Why your business should care?

  • Does your business own a website? The web-world is almost without limits. If your business owes a website there is a substantial risk that its Privacy Policies shall comply with the GDPR. If your business provide services or goods in EU, then GDPR will apply. However, even if there is no transaction, and your website is marketing in an EU language, accepts EU currency or has an EU domain, then GDPR will also apply.
  • Applicable fines of $20 million or 4 per cent of annual revenue (which one is higher!). That is probably the point that is drawing the most attention. The fines applicable in case of noncompliance with the regulation has the power to take business out of market!

If you think your business may not be in compliance, here are a few things to think about:

  • First, your website must have a website Privacy Policy in place which discloses, among others, who is your business; what information do you collect from the users; how do you collect the information and how do you use their information;
  • Second, your business should use that document in conjunction with the website’s cookies policies and terms of use or terms and conditions;
  • At last, always communicate data subjects of any material change in your business’ Privacy Policies.

Even if your business hires a third-party processor you still need to take precautions and there are specific clauses that must be present in your contract with the processor.

The GDPR also requires in case of breach to notify the “EU regulator” or supervising authority in 72 hours if the information involves email addresses, personal data that contains sensitive data related to medical or financial information or identifiers associated with children. Additionally, your business would also need to notify the consumer if information included important personal information such as credit card and passwords.

“The law is clear—when you are entrusted with personal data you must look after it”, Elizabeth Denham, the Britain’s data privacy regulator.


Contact our office at 616-392-4100 if you have any question about your business compliance with the GDPR.


This post is made available to educational purposes only.  It provides general information and a general understanding of the law, but does not provide specific legal advice. By using this site, commenting on posts, or sending inquiries through the site or contact email, you confirm that there is no attorney-client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.

Image: TheDigitalArtist. Under Pixabay License.

12274 James Street Holland, MI 49424 616-392-4100