Flying high – the first penalty under the GDPR

The Information Commissioner’s Office has announced the first penalty that it intends to impose under the GDPR – and it is a massive 367 times greater than any penalty previously imposed.

In the summer of 2018 the personal data of some 500,000 customers was harvested by a fraudulent website to which hackers diverted them from the British Airways website. The data included names, email address and credit card details.

The ICO criticised the security measures deployed by British Airways and stressed the importance of organisations taking appropriate steps to protect privacy rights. It announced that it intends to fine British Airways £183 million, which equates to 1.5% of BA’s 2017 worldwide turnover.

Before the GDPR came into force in May 2018 the maximum fine for breach of the UK’s data protection laws was £500,000; the GDPR increased that maximum to four times annual turnover. The size of the penalty in this case demonstrates the impact of the changes.

This is a huge fine and a massive step-up in the enforcement of data protection laws. It is a clear reminder, if one were needed, that organisations must treat the personal data of their customers with great care.

David Woods

+44 (0)1733 887793