Data protection specialists at innovative London law firm, iLaw, have said that the Information Commissioner’s Office’s (ICO’s) landmark fine against British Airways (BA) demonstrated that the regulator is serious about enforcing the new rules.
The ICO has announced its intention to fine the airline £183m in relation to the information security breach that allowed details, including credit card information, relating to half a million customers to escape. The problem was first reported in September last year, although it is believed that BA’s systems had first been compromised up to three months earlier.
This is the first time the ICO has bared its teeth under the new fine regime brought in by the General Data Protection Regulation (GDPR) last year, with the ICO still dealing with many historic cases predating the legislation, under which the maximum fine was £500,000.
Justin Ellis, a Director at iLaw and a data protection specialist, said that this latest fine shows that the regulator now has a bite as well as a bark, adding that the fine could have been far larger.
Ellis said, “No one is going to deny that a fine of £183m is significant.
“But this only equates to around 1.5% of BA’s annual turnover, while the GDPR allows the ICO to issue fines of up to 4% annual turnover. So, the maximum fine would have approached £500m.”
Justin believes that this latest fine should be a wake-up call for many companies who haven’t updated their processes or who have taken a laid-back view to the new rules.
Ellis added, “Last year the ICO levied its maximum available fine under the old legislation, £500,000, against Facebook in the wake of the Cambridge Analytica scandal. This is no small sum, but when compared to the firm’s revenue and capacity to pay, it is miniscule.
“It’s not surprising to see that the ICO has gone for a big target for its first GDPR fine. There will have been many other breaches that it could have fined, but none with the profile or size of BA. They clearly want this to be a wake-up call to all businesses.
“I am sure that this new fine will have many businesses thinking more carefully about their GDPR compliance programmes, as well as the reputational damage and loss of confidence in a business’s brand that a data breach can cause.”
Ellis said that while many businesses prepared for GDPR a year ago, they may have failed to keep their processes and procedures up to date or become lax in their approach to data protection.
He said: “I suspect that the delay of over a year before the first big fine came through under the new law, due to the backlog of cases under the old law, has left some company boards and owners feeling safe and compliant, but unfortunately data protection is something that has to be considered on a daily basis, which requires regular reviews and updates.
“Those businesses who think that they are compliant and that their data is safe should be reviewing their situation in light of this penalty and seek additional help if they are concerned about their policies and level of protection.”
At this stage, the fine has not taken final form, British Airways has 28 days to make representations to the ICO to reduce the fine. They may subsequently appeal against it too.
In a further complication for British Airways, if any individuals suffered loss or damage as a result of the episode, they may have individual claims for compensation against the airline, so this may not be the end of the exposure.