I read the news today oh boy! BA got told they’ll have a fine to pay.
Willie Walsh is ragin’. A fine of how much? Damn you ICO.
The strange thing about this is that what we are dealing with at present is just a ‘proposed’ fine. The very direct impatient man in me thinks that this is such a waste of time. Why not just get the job done and fine them….? The more rational patient man in me realises it has something to do with them pleading their case, giving an opportunity to show how they have mitigated the damage done. Which they should probably do with some skill. So, my hunch is the fine is likely going to be dropped a good bit. I’m thinking like any good compromise the figure will land in the middle around the £100 million mark. No-one is happy with a good compromise. No-one is entirely unhappy either. My insatiable curmudgeon cannot wait.
The interesting thing about it is, as predicted previously here at Castlebridge Towers, that the initial fine is not even the half of it. What happens once the fine is finally revealed (eeek can’t’ wait!) is that BA then appeal-appeal-appeal in the courts until they wish to appeal no more.
£100million Willie. Sure, that’s only 1% of your turnover. Small change. What’s another £10million on Legal Fees?
The other aspect of interest is that the news has come out now at all. Why would the ICO announce a proposed fine to the press. Why would they risk annoying my inner impatient git? Or was this the work of BA? Rational, Patient man takes over again. It would appear that this is a case of a company fighting back not by going directly at the ICO but appealing to the political class who hover above them to outlay in some way that ‘all this personal data guff is fine and well but it’s getting in the way of business now’. Hmm we shall see; this gripping drama has not seen its last act.
And so, our gaze turns to the Irish context. Little ol’ Éire hosting the big international mega-data holders. Bit quiet there no? But not for long. The Data Protection Commissioner, Helen Dixon, has led us to believe that we should all be expecting our own big ‘drop’ soon. Remember a couple of weeks back when our very own Mrs Dixon was speaking to the Sunday Business Post where she comes across all chill in response to Politico’s recent report of her sitting on her hands rather than chasing the bold boys in the corner of data protection.
She explains that what is coming is going to be harsh as hell and highlights two main points: The fines of GDPR attach to each breach and, the point of GDPR is to engender change.
Let’s pretend I am a company. I use data badly twice a day for five days. That means I have used data badly 10 times.
Then let’s remind ourselves of the most boring line in the world which states that a company can be fined 4% turnover or whatever.
So theoretically be fined 10 times x 4%, which is 14% of turnover.
Only joking, it’s 40%. …. the type of figure which would make even your richer pals’ wince.
Remember that the recent report from the DPC (see page 50/51). Facebook is in the DPC dock for 10 of the 17 major investigations that the Commissioner is undertaking. That would illicit quite the oversized wince in FBHQ. Is Facebook likely to be put out of business by the DPC?
The key lies in the second part of the main points Helen Dixon makes in the SBP interview, which is that the focus of GDPR is to engender change. As is set out in GDPR, one of the factors to be taken into account when issuing a fine is the mitigating actions taken by the company in question. So, if a company changes the way they act based on what the Commission finds, then the fine issued may be lowered. This gives companies an obvious way out based on draft findings of the DPC (see the process flow of statutory inquiries here).
So, there is a path there, outlined which pretty much details that if we all hold hands and work together, we can walk towards a sunny happy personal data future. You may also have noted that the headline to the SBP article is that the tech companies are ‘lawyering up’ and that BA, while yet to actually be issued a fine, have stated that they will fight it regardless. The overall theme is that big organisations, rather than embracing change, are trying to beat it. This may be through the courts or it may be through the political system putting pressure on Data Protection Authorities in order to limit their scope. It’s likely going to be heavy dollops of both.
See you in Europe Willy!