Greetings from Brussels!

It has been an interesting time of late for British Airways, one of the first organizations to have a highly publicized breach in the GDPR era, and so likely to be a test case for many in the privacy ecosystem.

Last week, as you’ll undoubtedly know, BA had to notify the U.K. authorities of a serious data breach of their online systems, both to BA.com as well as the mobile app platform, after hundreds of thousands of customers' personal and financial details were stolen. The airline said the hacking activity continued — undetected — for almost two weeks, between 21 Aug. and 5 Sept., with 380,000 payments compromised. Incidentally, and as reported by BA, stolen information did not include travel or passport details.

The airline’s boss, Alex Cruz, apologized for what he says was a sophisticated breach of the firm's security systems and promised compensation, telling the BBC, "We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered."

With the GDPR now in force since May, it is mandatory for companies to report data breaches and hacking activity within a 72-hour timeframe, and, to their credit, BA complied and duly reported the breach once discovered. There have been some well-publicized cases in the past where it took more than two years to report sizable data breaches; in this instance, you have to say the new regulation is having an impact.

In a further development that could only happen post-GDPR, on Monday, SPG Law, the U.K. branch of U.S. law firm Sanders Phillips Grossman, said that it was planning to launch a 500 million GBP group action — the British version of a class-action lawsuit — unless the airline opts to settle. The firm maintains that BA has not gone far enough in seeking to compensate only those customers who have (or will) experience direct financial impact from the breach; it states that BA should be awarding customers "compensation for inconvenience, distress and annoyance associated with the data leak." Incidentally, 500 million GBP equates with 4 percent of BA’s global revenue — the maximum fine under the GDPR. SPG Law maintains that BA is liable to compensate for non-material damage under the U.K. Data Protection Act 2018, the revised version that went into effect in May, which includes but is not limited to all the GDPR requirements. The GDPR article argued by SPG Law is Article 82 — "Right to compensation and liability" — which states, "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered." Whether the lawsuit actually sees the light of day, we will have to wait and see.

In the meantime, BA says its investigation continues and that it is cooperating with the police and cyber specialists. The ICO has said its inquiries into the breach are continuing. Busy times for the BA privacy team, no doubt. And something to watch for organizations still trying to understand how the GDPR has changed the privacy landscape.