Like puppies for Christmas, GDPR was about more than one day


                                                       "A Dog Is for Life, Not Just for Christmas" has become a
                                                       somewhat iconic message but as I write this on a
                                                       blisteringly hot summer day there is no similar advice. Is
                                                       now then a good time to buy a puppy on a whim?

                                                       Of course, it's not, the message behind the slogan is
                                                       valid all year round. It's just, you never hear the
                                                       message at any other time.

                                                       Similarly, there was a flurry of activity and media
                                                       attention around the EU's General Data Protection
                                                       Regulation (GDPR) last year and rightly so. The
                                                       consequences of being at the centre of a data breach,
                                                       with a potential fine of 4% of turnover, meant most
                                                       firms heard the message and acted to get their house in
               order.

               Then GDPR Day came and passed and everyone stopped talking about it.
               Until British Airways was told it faced a fine of £183m for a data breach in which customers’ credit
               card data was stolen.

               GDPR got real then, didn't it?
               Like those Christmas dogs, GDPR is for life and not just for that long-forgotten deadline day. A few
               friends have told me that they think that their firms have taken their eyes off the ball since last May
               and that IS a worry. The problem is - you might not know if you have let things slide until you get
               stung.

               The bad guys are not operating at the level they were at when you addressed your GDPR
               responsibilities last spring. They are getting more and more sophisticated and so your systems and
               approach have to evolve to match them. To be clear, BA got hit by scammers at the top of their
               game, I mean, just imagine how much BA will have spent on data protection and how sure of their
               security controls they must have been. "Fort Knox," was how one security expert colleague had
               imagined them to be and I guess few would have disagreed.

               I think that most people doubted that the Information Commissioner’s Office (ICO) would levy the
               maximum fine available to them. 4% of BA's annual turnover, rough calculation - that would have
               been a fine of about £500 million. That's a pretty unthinkable amount, especially given the fact that
               the highest fine before GDPR was half a million.

               Indeed, many thought that the level of security British Airways had and the speed with which they
               reported the breach would have meant a more lenient approach. GDPR stipulates that you have 72
               hours to report a breach, three days, it took British Airways just one day to announce it had been
               compromised.
               Ian Thornton-Trump, a cybersecurity expert was quoted by Forbes predicting a fine "in the £5 to 10
               million range". Many observers thought even this may be on the heavy side, so when that £183m
               figure was announced the whole internet security and business community gave a collective gasp.
               It's not just the fine, of course, a data breach brings claims for compensation from customers who
               might have suffered financial fraud as a result, and then there is the incalculable damage to