The Information Commissioner’s Office (ICO) has published its intention to fine British Airways £183.39 million under the General Data Protection Regulation (GDPR) for serious breach of data protection.
This fine is significant as this is the largest fine the ICO has ever issued; under the preceding Data Protection Act 1998, the maximum fine the ICO was able to issue was £500,000. This is also the first major monetary penalty to be issued under GDPR.
Under the new rules introduced last year by GDPR, the ICO can now issue fines up to a maximum of 4% of the annual worldwide turnover. This fine is a significant amount and represents 1.5% of British Airways worldwide turnover in 2017.
The fine relates to a cyber attack of British Airways’ website whereby attackers were able to direct visitors to a fraudulent website and obtain personal data. The incident reportedly began in June 2018 and affected around 500,000 individuals. Attackers were able to access personal data relating to names, email addresses, log-in details and card payment details.
It is important to note that the ICO has not yet fined British Airways; it has only made public that it intends to fine this amount. British Airways will have around a month to submit its representations, however it will be interesting to see what factors the ICO takes into consideration when arriving at the final penalty for the first major monetary fine to be issued so far under GDPR. This announcement also acts as a reminder to organisations to ensure they have adequate security measures in place when handling personal data.