The ICO has today announced an intention to fine British Airways £183.39 million for breaches of the GDPR. This relates to a cyber incident notified to the ICO in September 2018 which involved the personal data of approximately 500,000 users. This will be the first fine issued by the ICO under the General Data Protection Regulation (GDPR) since the GDPR came into force on 25 May 2018.
Before today, the highest fine issued by the ICO was a fine of £500,000 issued to Facebook which was the maximum fine possible under the old law. Under the GDPR, the ICO has the power to issue fines of up to €20 million euros or up to 4% of worldwide turnover, whichever is higher. The intended fine against BA amounts to a reported 1.5% of BA's worldwide turnover.
Whilst we have been waiting for the ICO to issue its first GDPR fine, the level of this fine will have surprised many. France had previously fined Google €50 million so we knew that larger fines were a reality, but this will certainly have got people's attention. All organisations are under threat from cyber attacks and so it will be useful to see the ICO's reasoning for such a large fine once the monetary penalty is issued. It is clear to see that going forward the ICO will be prepared to wield its new enforcement powers and hold organisations accountable.
This is currently only an intention to fine and British Airways will have the opportunity to make representations before a final decision is made by the ICO.
Information Commissioner Elizabeth Denham said: "...when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights"