GDPR: Your data, under your command

Share on facebook
Share on google
Share on twitter
Share on linkedin

At PGMBM, one of our specialist areas of practice is data breach litigation. We are currently helping the victims of a number of data breaches receive justice and compensation. We understand the legalities surrounding data handling and the General Data Protection Regulation 2016/67 (GDPR) can often feel overwhelming, so we have shared our expertise to help create a better understanding of the matter.   

The progress of data protection  

In 1977, Germany became the first state in the world to enforce laws concerning data protection. Needless to say, human dependence on technology for the collecting, storing, and using of data has grown considerably since 1977. In today’s age, from booking a taxi over an app to signing up for an online newsletter, we share our personal data with various organisations on a daily basis.   

However, as the use of technology for storing and processing data has grown, so has the risk of one’s data being misused. Aptly, the laws in relation to data handling have evolved for the better. Henceforth the introduction of the GDPR.   

Before decoding the relevant sections of GDPR, it is important to familiarise ourselves with the meaning of certain terms so as to better understand the article and for future reference. 

Term  Meaning 
Data subject  The person to whom the data belongs. 
Processing data   Any operation or set of operation performed on personal data.   
Data controller  The entity who controls and decides how the data would be processed. 

I.e., the company you share your data with such as British Airways or Mercedes. 

Data processor   The entity who processes data as and when instructed by the data controller. 

I.e., this could be the cloud services they use to store your personal information.  

Prior to the enforcement of GDPR, the Data Protection Act 1998 (DPA) [1] allowed any data which could be used to identify a living individual to be termed as personal data’. The DPA  further noted that any information relating to one’s racial or ethnic origin, political opinions, religious beliefs, trade union memberships, physical or mental health, sexual life, and commission or proceedings for any offence committed or alleged, must be treated as sensitive personal data’. [2]

While it may seem that the DPA 1998 had already allowed for the term personal data to be interpreted quite broadlythe GDPR went further in its addressing of two further factors: 

1. To cover the new variants of personal data that came into existence due to the increased use of online applications and channelswhich are vulnerable to being stolen and/or misused; and 

2. Tincrease the level of responsibility that organisations who own such online applications and channels have towards the data they possess and to scrutinise their use of it. 

New variants 

GDPR addresses the first factor through Article 4,[3] which extendthe meaning of personal data to location data and online identifiers’. It also incorporates the concept of pseudonymisation.  

Pseudonymisation refers to processing personal data in such a manner that it cannot expose or lead to a particular individual, unless it is used with additional information. This ‘additional information’ is required to be kept separately in a secure manner 

When protecting personal information using pseudonymised data, organisations may choose to use reference numbers rather than the names of its customers when working on their matters internallyand only a few selected employees could find the personal data by using the reference numbers after clearing the security checks put in place 

Although pseudonymised data remains personal data, it succeeds in being a security measure by working as a lock on accessing personal information, with the key being clearing the security measures put in place. 

For example, when storing email addresses and phone numbers securely, your personal information may be used in a pseudonymous form, like this: J****p***@*** This would appropriately protect it from any third-party hackers and prevent a breach of your data. 


As far as the second factor is concerned, Article 24[4] of GDPR sets out the responsibilities for data controllers. It provides that a ‘controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’. 

Keeping in consideration that organisations of various sizes and varying financial resources handle and process data, the GDPR allows for flexibility over what technical and organisational measures could be put in place.  

Even though pseudonymisation is the only explicitly mentioned example of technical measure (which can be quite expensive ), ‘using two-factor authentication on accounts where personal data are storedor even contracting with cloud providers for end-to-end encryption’,[5]  could also suffice depending on how and why data is collected and used.  

In terms of organisational measures, exercises like ‘staff trainings, having a data privacy policy in the employee handbook or limiting access to personal data’[6] could also be sufficient. 

In order to process data in accordance with this regulation’, the data controller and data processor must carry out their duties with respect to the seven principles of GDPR set out in Article 5.[7] These are: 

1. Processing data lawfully, fairly, and in a transparent manner 

2. Processing data only for the purposes set out when collecting it 

3. Collecting and keeping data only in relevance to required purposes 

4. Keeping the data up to date and accurate 

5. Holding data for only as so far it is required 

6. Ensuring data is secure from unauthorised and unlawful processing and against accidental loss, destruction, or damage 

7. By being responsible for and demonstrating compliance with the principles. 

Not only does the GDPR enforce a greater responsibility over data controllers and processors, but it has also made data protection a central aspect around which an organisation’s functioning must revolve.  

For instance, Article 25[8] requires the very means through which data is processed to be inherently ‘designed to implement data-protection principles.’ 

Recital 78[9] provides guidance over how an organisation that needs to process personal data to fulfil their tasks must, whilst creating applications or systems they would use, have the principles of GDPR at their centre to ensure that data protection takes place by default. 

Consequences of breaking GDPR 

In case a data controller or processor fails to perform their duties in accordance with the regulation, the data subject has the right to an effective judicial remedy. This is provided for by Article 79.[10]

In scenarios where a data controller has failed to comply with the basic principles of GDPR, there can be fines of up to €20 million or 4% of the total worldwide annual turnover of that organisation in the preceding financial year – often whichever is higher.[11] 

Huge organisations like Google, Marriott, and H&M have all been subject to fines arising from non-compliance of GDPRwith Google being subject to fine of €50 million[12] for not being transparent in the way it processed data to achieve ad personalisation. 

British Airways and GDPR woes  

On 6 September 2018, British Airways (BA) emailed its customers: “From 22:58 BST August 21, 2018 until 21:45 BST September 5, 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”[13]  

In October 2018, following an inquiry undertaken by specialist forensic investigators, BA again notified some of its customers that they had been affected by data theft; this time when making a reward booking between 21 April and 28 July 2018.[14]  

In October 2020, a thorough investigation by the Information Commissioner’s Office (ICO) concluded by stating that BA’s failure to secure the data of its customers constituted to a serious failure to comply with the GDPR’ and imposed a fine of £20 million.[15] It is important to note that the fine will be paid to the treasury, not to the individuals who fell victim to the breach 

Detailing BA’s failures, the ICO reported that BA had faced a ‘supply chain attack’ and information for avoiding such attacks was already present in public domain. It found that BA had chosen to ignorthis advice and failed to follow it as a precautionary measure.  

Further, given that the attackers accessed BA’s network using compromised credentials, had BA implemented a multi-factor authentication (MFA) system, rather than simply allowing access to their network remotely by using a username and password, it would have served as taking reasonable steps towards safeguarding data.  

Unfortunately, BA was of the view that implementing MFA was not required. However, even whilst supporting the view that MFA was not required, BA could have implemented other appropriate measures such as: external IP address whitelisting or used an IPsec VPN. As suchand much to the dismay of its customers, changes to BA’s security system came only after the attack took place. [16] 

An attack that compromised the personal data of 429,612 of its customers.[17] 

As of yet, even after being imposed with a fine for failing to secure its customers data from unauthorised and unlawful processing and against accidental loss, destruction, or damage, BA denies admitting liability for the GDPR breach.  

Your time is now 

All hope is not lost for those who were impacted by the breach – PGMBM continues to fight for their rights. On 4 October 2019, PGMBM (then known as SPG Law, a trading name for Excello Law Limited) succeeded in its application for a Group Litigation Order to bring claims for the data breach.

This gives a ray of hope to the hundreds of thousands who remain distressed at being left in the dark, not knowing who took their personal data, who has it currently, and what purposes it is being used for – all because BA did not take the appropriate steps to safeguard.  

If you believe your data was stolen, visit to take action and join the tens of thousands who have already instructed PGMBM to claim for compensation. 

The cut of date for applicants is 19 March 2021, so don’t wait. Signup now.  


Author: Sartaz Billing, Paralegal.

[1] Federal Data Protection Act of 1977
[2] Section 1.1 of the Data Privacy Act 1998
[3] Section 2 of the Data Privacy Act 1998
[4] Article 4.1 of the General Data Protection Regulation
[5] Article 24.1 of the General Data Protection Regulation
[6] Ben Wolford, what is GDPR, the EU’s new data protection law < > accessed 22 December 2020
[7] Ben Wolford, what is GDPR, the EU’s new data protection law < > accessed 22 December 2020
[8] Article 5.1 and 5.2 of the General Data Protection Regulation
[9] Article 25.1 of the General Data Protection Regulation
[10] Recital 78.1, ‘’Appropriate Technical and Organisational Measures’’, General Data Protection Regulation
[11] Article 79.1 of the General Data Protection Regulation
[12] Article 83.5 of the General Data Protection Regulation
[13] Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 pronouncing a financial sanction against GOOGLE LLC. < > accessed 22 December 2020
[14] BRITISH AIRWAYS DATA EVENT GROUP LITIGATION PARTICULARS OF CLAIM (public record), paragraph 36 < the link to it > accessed 21 December 2020
[15] ICO’s penalty notice to British Airways plc, pg. 3 < ba-penalty-20201016.pdf (> accessed 22 December 2020
[16] Joe Tidy, British Airways fined £20 million over data breach, 16 October 2020 < > accessed 21 December 2020
[17] ICO’s penalty notice to British Airways plc, pg. 24 < ba-penalty-20201016.pdf ( > accessed 22 December 2020

PGMBM (a trading name of Excello Law Limited) – SRA License Number 512898

Excello Law is authorised and regulated by the Solicitors Regulation Authority and complies with the Solicitors Code of Conduct, a copy of which can be located here.