Over a year after the GDPR came into effect, the ICO’s announcement that it intends to fine BA over £183m for last year’s data breach finally gives us an indication of where fines might fall for major security breaches.
Coming in at approximately 1.5% of the airline’s global 2017 turnover, this is certainly a figure to make businesses sit up and take notice.
Despite the ICO’s previous reassurances that it is not looking to impose unduly punitive fines, this sends a clear message to organisations, particularly household names with significant resources, that the ICO is not afraid of significantly stepping up the level of fines from the pre-GDPR maximum of £500,000.
The notice of intention is a strong reminder that the GDPR is not just about demonstrating compliance as at 25 May 2018. Data protection and security obligations are ongoing and businesses should regularly audit their security measures to ensure that they remain effective and compliant and should be ready to mobilise and respond to breaches as soon as they occur.
BA now has 28 days in which to make representations before the ICO issues its final monetary penalty notice and the organisation has already announced its intention to appeal.
The ICO will need to consider whether the proposed level of fine, taking into account BA’s representations, is effective, proportionate and dissuasive. Whatever the final figure, this first major test case for GDPR fines in the UK shows that security and data protection compliance are not matters to be taken lightly.