ICO exercises GDPR sanctions with a £183 million fine for British Airways
We are starting to see the first wave of sanctions under the GDPR legislation coming through with British Airways coming under the spotlight of the ICO. Despite many data breaches hitting the headlines over the last 12 months, most of these cases were enforced under the old Data Protection Act 1998 which limited the powers of the ICO to fine large organisations to a maximum of £500,000.
In the current case, British Airways suffered a data breach in September 2018 when users to their website were diverted to a fraudulent one and this gave hackers the ability to harvest customers personal information. Approximately 500,000 customers details were compromised which the ICO say was due to poor IT security arrangements at the company. The ICO have served notice on BA of its intention to fine the company £183.39M for its infringements under GDPR and BA is no doubt compiling its response to this fine to see if it can be mitigated in any way.
It is clear that information regulators across Europe will exercise their powers to their fullest potential in cases where organisations have not taken steps to respond to their obligations under GDPR. One may have a degree of sympathy for BA, who suffered this breach 4 months after the implementation of the GDPR, but the message from the ICO is clear. Businesses should have already been working towards a position in the 12 months leading up to 28 May 2018 to ensure that their systems were sufficiently robust to deal with cyber- attacks. Those organisations who are latecomers to the party, particularly those dealing in large scale personal data or smaller scale sensitive personal data will be significantly exposed when (not if), they suffer a data breach in the post GDPR era.
If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team.