The ICO has today announced its intention to fine British Airways £183.39 million in the first flexing of its new penalty powers under the GDPR.

This is the first fine the ICO has announced under the GDPR and significantly bigger than its previous largest penalty under the UK data protection regime. Under the Data Protection Act 1998, the ICO could only impose a maximum fine of £500,000, which it levied against Facebook following the Cambridge Analytica data scandal. The ICO acknowledged at the time that “the fine would inevitably have been significantly higher under the GDPR”. The new legislation allows the ICO to impose much larger fines, up to a maximum of £17 million or 4% of global turnover. The fine it’s intending to impose on BA amounts to 1.5% of its worldwide turnover in 2017.

The ICO’s notice of intention to fine BA follows an extensive investigation carried out relating to a cyber-incident which began in June 2018, whereby user traffic to the BA website was diverted to a fraudulent site, where fraudsters harvested details of approximately 500,000 customers. The ICO’s investigation found that a variety of information was compromised by poor security arrangements, including names, email addresses and payment card details. 

BA now has an opportunity to make representations to the ICO before the ICO makes a final decision in relation to the fine. Whatever the final outcome, the message is clear - the ICO will not be shying away from imposing significant fines on data controllers that fail to safeguard people’s personal data. Once the final decision has been handed down, understanding how the ICO has arrived at this level of fine will hopefully provide guidance to all data controllers as to how a breach can be quantified.