British Airways record fine

The ICO have proved they aren’t messing around when it’s comes to GDPR compliance.

They’ve used their enhanced powers to hand out a record (proposed) fine of £183.39m to British Airways for infringing GDPR. The first fine to be made public under the new regime of GDPR.

In the recent blog by Elizabeth Denham (The Information Commissioner) which was used to publish the ICOs “One Year On” report she stated “For those who do not take this [responsibility for compliance] seriously or those who break the law, we will act swiftly and effectively” continuing to say
that “we will not hesitate to act in the public interest when organisations wilfully or negligently break the law” and they’ve certainly demonstrated that
with this fine.

The investigation involved customers visiting the British Airways website being redirected to a fraudulent website which collected around 500,000 customers details, including log in, payment card and travel bookings.

Elizabeth Denham has commented “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.

British Airways state they are “surprised and disappointed by the penalty”.

The Principle of “integrity and confidentiality” (also known as the security principle) says that ‘personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against loss, destruction or damage’, which is something that BA failed to do, allowing the redirect to a fraudulent website.

The ICO will look at a number of factors when determining whether to impose a fine and the size of that fine, which helps them to determine what is appropriate based on the incident.

This includes things like:

> The nature, gravity and duration of the infringement

> Categories of personal data affected 

> Whether the infringement was intentional or negligent
> Actions taken to mitigate the damage suffered
> The degree of cooperation with the ICO

As BA have cooperated with the ICO investigation and subsequently improved its security arrangements this will no doubt have had an impact on the size of the fine, which equates to 1.5% of its worldwide turn over in 2017. So although £183.39m is a substantial fine for BA it falls far short of the
maximum the ICO have the power to impose of 4% of their annual turnover!

The above aside, we’re starting to see a lot of companies jumping on the data breach and offering their services to help customers to obtain compensation. A rising trend in the world of Data Protection, reminding us of all those PPI companies helping customers claim money back they are owed, so this could very well be the new PPI as peoples data becomes more and more of a currency.