This month British Airways bosses are apologising to their customers for a ‘sophisticated, malicious, criminal attack’ on its website, app and ‘security systems’ which has left 380,000 customer records compromised. They’ve done all the ‘right’ things in response to the incident – they’ve apologised, they’re contacting customers and promising compensation for the stolen data and they’ve informed the UK Information Commissioners Office; who are now ‘making enquiries.’ As the first high profile, large scale breach under GDPR British Airways could be facing a maximum fine of £500Million – 4% of its total revenue of £12.2billion. Possible penalties, enforcement and lowered share price aside – what is the true cost of such a breach?

The focus of the breach isn’t actually the business itself. It isn’t the financial or operational data, nor its products and services data. Not even the business’ own bank data. The focus is always customer data: our email addresses, our phone numbers and our credit card details. It truly is personal.

The focus is always customer data: our email addresses, our phone numbers and our credit card details. It truly is personal.

We trusted British Airways with our sensitive data, and it’s been stolen. Imagine giving your credit card to a trusted friend to look after and finding they’ve lost it? You’re not likely to ask them again, nor are they likely to remain ‘trusted’.

Fundamentally it’s a breach of customer trust – resulting in a loss of business reputation, loss of competitive advantage and ultimately, revenue. Trust and confidence cannot be compensated, or easily bought back. Some have tried – see Facebook’s recent privacy and ‘data use’ campaign promises to protect our privacy- but as consumers are we actually given access to the data privacy and permissions?

British Airways was not an isolated incident – Uber, Wonga, Experian, HSBC – data breaches, are an inevitable by-product of our dependence on technology and out-dated infrastructure. Malicious actors or hacker’s ability will evolve beyond (or at least, at) the rate of organisations ability to secure and protect data. Which is why the GDPR recognises you cannot have true data protection without data privacy – and a fundamental piece of privacy by design is putting the customer in control of their data.

So – how to rebuild trust? Get the customer involved, ASAP.

Ultimately, we need the products and services that businesses offer and businesses have collected our data in pursuit of offering the services that we need. By getting us, the customer, to engage actively in the data collection processes and have transparent visibility of the data held, and why its being used – you’re building trust and accountability. As a business you can be fully transparent by showing us exactly what permission you have over our data, why you have it, for how long and even where it is stored. This accountability should be demonstrated not just at the point of collection but for the entire lifecycle of customer engagement and across all customer touch-points. Make customer consent a standard, seamless and ongoing part of the customer journey.