The ICO has today announced its intention to fine British Airways £183.39 million in the first flexing of its new penalty powers under the GDPR.

This is the first fine the ICO has announced under the GDPR and significantly bigger than its previous largest penalty under the UK data protection regime. Under the Data Protection Act 1998, the ICO could only impose a maximum fine of £500,000, which it levied against Facebook following the Cambridge Analytica data scandal. The ICO acknowledged at the time that “the fine would inevitably have been significantly higher under the GDPR”. The new legislation allows the ICO to impose much larger fines, up to a maximum of £17 million or 4% of global turnover. The fine it’s intending to impose on BA amounts to 1.5% of its worldwide turnover in 2017.

The ICO’s notice of intention to fine BA follows an extensive investigation carried out relating to a cyber-incident which began in June 2018, whereby user traffic to the BA website was diverted to a fraudulent site, where fraudsters harvested details of approximately 500,000 customers. The ICO’s investigation found that a variety of information was compromised by poor security arrangements, including names, email addresses and payment card details. 

BA now has an opportunity to make representations to the ICO before the ICO makes a final decision in relation to the fine. Whatever the final outcome, the message is clear - the ICO will not be shying away from imposing significant fines on data controllers that fail to safeguard people’s personal data. Once the final decision has been handed down, understanding how the ICO has arrived at this level of fine will hopefully provide guidance to all data controllers as to how a breach can be quantified.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.