British Airways (BA) are potentially facing a £183m fine by the Information Commissioner’s Office (ICO) for breaches of the General Data Protection Regulation (GDPR) following last year’s cyber-attack. The actual amount of the fine will be determined after representations are made by BA and by other supervisory authorities.

The incident involved user traffic to BA’s website being diverted to a fraudulent site. Customer details were harvested through this false site, and personal data of approximately 500,000 customers were compromised. The data included log in, payment card, and travel booking details as well name and address information.

What are the rules?

The General Data Protection Regulation (GDPR) applies to all organisations that process personal data. It obliges organisations to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. The ICO notes that there were poor security arrangements in place.

The maximum penalty which could be imposed under GDPR is 2% of total worldwide annual turnover. The proposed penalty of £183m constitutes 1.5% of the BA group’s £11.6bn worldwide turnover last year. This intention to fine for a breach committed under the GDPR is the largest proposed fine so far, and greatly exceeds the previous highest data breach-related penalty (Facebook’s £500,000 fine following the highly-publicised “Cambridge Analytica” scandal, which was capped at that amount because the breach took place before the GDPR came into force).

Responding to the breach, Information Commissioner Elizabeth Denham said:

"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear; when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

This intention to fine will act as a reminder that the remit of the ICO is not limited to the tech companies most associated with big data, but can bite any business found to be in breach of the GDPR. It will also serve as a warning to businesses to ensure that they have adequate security measures in place preventing the loss or theft of data and periodically to test those arrangements.

As the most common data breach however is still a misaddressed email, organisations should continue to train staff and invest in technology which minimises the risk of human error.

What next?

BA has 28-days to appeal and, in an interview with Sky News, its chairman, Alex Cruz, expressed his surprise and disappointment by the finding and set out their intention to vigorously challenge it. They have cooperated with the ICO throughout the investigation. The ICO have said they will consider carefully the airline’s representations before making its final decision.

Despite Brexit, data regulation is here to stay, with the rules enshrined in UK law under the Data Protection Act 2018.

Authors