GDPR shows its teeth with record fine for British Airways
The UK’s Information Commissioner (ICO) announced that it intends to impose a fine of £183.39 million on British Airways, based on a 2018 data breach that it says infringed Article 32 of GDPR. The fine is the highest ever leveled at a company in the UK for a breach of data privacy.
The ICO’s investigation found that customer information was compromised by sub-standard security, which allowed a malware programme to steal data entered on BA’s online booking site. Personal details, such as names, addresses, flight bookings, credit card numbers and site logins for around 500,000 customers were breached.
The fine is not final, as other member states have not weighed in yet. BA has indicated that it intends to lodge an appeal.
Our expert’s opinion:
Nine months since enforcement of the GDPR, fines imposed by EU data protection regulators for GDPR breaches, amounted to €56m. A large part of that – €50m – related to a single fine, imposed by the French regulators on Google in January 2019.
The ICO’s ruling raises the bar and shows that UK regulators are taking data privacy every bit as seriously as their EU counterparts.
The size of the BA penalty – which represents 1.5% of BA’s total annual revenues – drives home the fact that data breaches pose more than reputational risk to organizations. It also says that organizations must rather focus on the prevention of such incidents, as in this case, the claim by BA that it reacted quickly, doesn’t seem to have reduced the penalty.
Commercial Director, UK