Does Your Website Need To Be GDPR Compliant?

A British law firm has filed a group litigation order lawsuit against EasyJet, the largest airline in the U.K., after hackers accessed the personal data of around nine million individuals. The lawsuit seeks $22 billion.

On May 19, 2020, EasyJet announced the data breach, which involved the travel information of as many as nine million individuals and the credit card information of more than 2,000. The BBC reported that EasyJet knew of the cyberattack in January 2020.

The European Union's General Data Protection Regulation (GDPR) requires organizations to report data breaches of personal information within 72 hours in certain circumstances. The U.K. Information Commissioner's Office is investigating the data breach.

Some customers have reported receiving phishing messages spoofing EasyJet. However, there is no proof that customer data compromised in the attack has been used for fraud.

British Airways was fined $229.2 million for violating the GDPR after hackers stole the personal information of around 500,000 customers in 2018. Jeff Stone "Lawsuit seeking billions in damages filed against EasyJet" (May 27, 2020).



The GDPR applies to personal data processing carried out by organizations operating within the EU and to organizations outside the EU that offer goods or services to individuals in the EU. The law protects the rights of E.U. citizens, but E.U. citizens can visit websites of organizations anywhere in the world. Therefore, all organizations that collect the personal data of E.U. citizens are bound by the law.

The law does not only apply to biometric data like some state laws, but instead it applies to personal information.

As evidenced by the suits against British Airways and EasyJet, failing to comply with GDPR requirements can prove extremely costly. The GDPR allows for fines of up to four percent of annual global revenue.

Because of mutual assistance treaties, the U.S. government helps the E.U. enforce the GDPR in the United States. And, there is plenty of exposure: only a small percentage of U.S. companies have registered and self-certified with the E.U.-U.S. Privacy Shield framework. Amazon, Apple, Facebook, Google, Netflix, Spotify, and Twitter have all been subject to GDPR-related E.U. regulatory actions. Google alone paid $57 million dollars for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

Revisit your cybersecurity and data breach notification policies. Keep in mind that the GDPR requires data breach notification within 72 hours.

The European Union provides a checklist for U.S. companies to follow to become GDPR-compliant. It would be wise to review this list and work with your legal counsel and information technology team to confirm that your data collection practices do not create exposure. To learn more, read the E.U.’s “GDPR compliance checklist for U.S. companies.”

Finally, your opinion is important to us. Please complete the opinion survey:


Credential Stuffing: A Singular Reason Why You Need To Have Different Passwords For Your Accounts

The FBI warns businesses of the growing threat of compromised login credentials. User password behavior is a big part of the cause. We examine. Read More

Is Having A "Gold Image" The Key To Defeating Ransomware?

A hospital employer says a cyberattack led to the death of a patient. Read how quality backups keep clients safe and allow you to say "no" to paying cybercriminals. Read More

Cybersecurity Training Remains Important Even In Lockdowns

Minimizing administrator privileges and conducting annual training are two ways to keep data safe. Learn more. Read More