Zenith CC&P Current Awareness

British Airways faces record GDPR fine

8 July 2019

Prof. Suzanne Rab

Zenith's Suzanne Rab writes:

The Information Commissioner’s Office (ICO) has announced plans to impose a record £183 million fine on British Airways (BA) after a data breach last year that affected around 500,000 customers.

The ICO cited “poor security arrangements” that led to the breach of logins, credit card information and other personal data.

The fine would mark the largest that the ICO has issued, eclipsing the £500,000 fine against Facebook for the Cambridge Analytica incident that affected 87 million users.  The fine imposed on Facebook was the maximum permitted under the Data Protection 1998; the legislation in force at the time.  The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and allows the regulator to fine a company up to 4 per cent of its worldwide turnover.  The fine in BA’s case represents close to 1.5 per cent of its 2017 revenues.  BA now has 28 days to object to the ruling before it is final.

The ICO lists the factors in Article 83 GDPR as the criteria she will consider when deciding whether and how to respond to breaches of information rights. The policy is at a relatively high level of generality.   The huge rise in data breaches, plus the vast number of notifications, and the huge rise in the public profile of the issue, has led the ICO to focus attention on the most important and sensitive cases.

Current Awareness

By the CC&P team