The UK Information Commissioner’s Office (ICO) has announced its intention to fine British Airways (BA) just over £180m, calculated on the basis of 1.5% of its annual worldwide turnover of £11.5bn.
Although other EU data protection authorities have imposed fines under the GDPR (e.g. Google France was fined €50m in January 2019 for various offences concerning online adverts), recent headline fines in the UK have all been in respect of the old Data Protection Act 1998, where there was a cap of £500,000.
This latest fine relates to a hacking incident between June and September 2018 – i.e. after GDPR came into force on 25 May 2018 - in which fraudsters diverted customers from BA’s website to a fake site to harvest their personal details.
The ICO found that the hack was enabled and made worse by BA’s poor cybersecurity and inappropriate data storage procedures. While BA might like to paint itself as just another victim of fraud, the ICO explained that BA is being punished for its failure to protect customers adequately: “The law is clear – when you are entrusted with personal data you must look after it.”
BA now has an opportunity to appeal and may succeed in reducing the total fine, but this case serves as a reminder that GDPR applies to all businesses processing customer data, not just tech companies.
It is also a good example of international cooperation between data enforcement authorities – the ICO actively liaised with other EU member states and their regulators in investigating the hack.
Not every data breach will result in a £180m fine, but any business being docked 1.5% of its turnover will find itself having to explain a large hole in its accounts.
For further commentary on this case, or to find out how to comply with GDPR and protect your business against ICO sanctions, contact Graeme Fearon in Thrings’ Data Protection team.