At £183.4m (US$228m) or 1.5% of BA’s worldwide revenue in 2017, this fine by the UK Information Commissioner’s Office (ICO) sets a new precedent in the level of penalty, and likely represents the ‘wake-up call’ the privacy industry has been expecting since the GDPR came into force in May 2018. The penalty is especially sobering, given the fact that BA have been cooperative throughout the ICO’s investigation and no direct losses have been evidenced by any of the affected data subjects.
The arrival of significant fines under the GDPR have been expected for some time, though the magnitude of this one, especially given the previous largest fine, issued to Facebook, was a paltry (by comparison) £500,000 (US$623,000); though this did represent the maximum penalty available to the ICO at the time.
Currently, this figure is only a statement of intent, meaning British Airways have the ability to make representations that may reduce the final amount. However, the decision is also open to further scrutiny and comment from other EU member states, as the breach affected many data subjects from other EU countries. The final decision is due in around one month.
Clearly this announcement marks the beginning of a new era in the level of penalties, though it is clearly aligned with the recent and marked shift in rhetoric coming from the UK’s Information Commissioner, Elizabeth Denham, in regard to their future enforcement intentions. We can therefore expect to see many similar penalties being awarded (with Marriott standing next in the firing line) as there have been numerous similar breaches reported to the ICO in the months since the GDPR came in to force.
The magnitude of the BA penalty should therefore be seen as a clear message to business owners and senior executives that investment in data security measures, compliance processes and staff training could be a wise brand, reputation and market cap protecting investment.
This blog was written by Rob Masson, the CEO of the DPO Centre.