In October 2018, we reported that British Airways had been the subject of a hack which compromised data relating to around 380,000 transactions (https://www.bpe.co.uk/why-bpe/blog/2018/10/airline-hits-gdpr-turbulence/).
Whilst data breaches and their resulting fines are as common as cats and dogs these days, this one held particular interest due to the date it occurred.
Previously, fines by the ICO for breaches of the Data Protection Act 1998 were limited to £500,000. Following the implementation of the GDPR on 26 May 2018, this limit was significantly increased to a maximum of €20,000,000 or 4% of global turnover (whichever is the larger). Unfortunately for British Airways, the hack took place in and about June 2018 meaning ICO were able to investigate and impose sanctions using their increased powers under the Data Protection Act 2018.
Whilst a final decision is yet to be made, the ICO have indicated they intend to fine British Airways a whopping £183M. Ouch. British Airways co-operation with the investigation, and efforts to improve its security arrangements may go some way to softening that figure but the fine will still be the biggest fine imposed by the ICO for a data breach to date.
The news indicates that the ICO is no sleeping watchdog but one which can and will bite if you cross its path.
If you need advice on complying with your data protection obligations, email our data protection team at email@example.com.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.