The UK Information Commissioner's Office has announced its intention to issue a £183 million fine to British Airways, in respect of a personal data breach under the GDPR. The announcement has wide-ranging consequences for businesses in all sectors.
Enforcement of the General Data Protection Regulation ("GDPR") began more than a year ago, and Data Protection Authorities ("DPAs") across the EU are now beginning to issue significant fines for non-compliance. Failure to comply with the GDPR can result in regulatory investigations, fines, and damages claims, all of which could undermine trust and confidence among consumers and investors. DPAs have the power to issue fines of up to €20million or 4% of annual global turnover (whichever is greater) for each breach of the GDPR. It is now clear that European DPAs are willing to make use of this power to impose significant fines.
The UK DPA, the Information Commissioner's Office ("ICO"), recently issued a notice of its intention to fine British Airways £183 million for allegedly failing to adequately safeguard its customers' personal data. The ICO's action comes a few months after the French DPA issued a similarly significant €50 million fine against a US-based tech business for allegedly failing to provide sufficient information to its users regarding the collection and use of their personal data and failing to obtain valid user consent.
These enforcement actions should serve as a timely reminder for businesses to consider GDPR risk exposure. Businesses should review policies and procedures implemented in the run-up to the implementation of the GDPR and ensure these continue to be effective in supporting compliance and protecting personal data. Data security measures implemented to safeguard personal data should be subject to continual review to ensure that they remain effective against current known threats and vulnerabilities.
Businesses operating in the UK (or targeting the UK market) should be familiar with the key points from the ICO's Regulatory Action Policy ("RAP"). The RAP sets out the ICO's five-year programme of key regulatory priorities and is intended to enable businesses to predict how the ICO will carry out its regulatory activity. The RAP includes guidance on the approach the ICO will adopt when considering whether to issue penalties to businesses. Some of the key factors considered by the ICO are as follows:
- the nature, gravity and duration of the failure;
- the sensitivity of the data involved;
- whether there has been a degree of damage or harm (which may include distress and/or embarrassment);
- the degree of responsibility of the business;
- whether there has been a failure by the business to implement the accountability provisions of the GDPR;
- any relevant previous failures; and
- the manner in which the ICO became aware of the incident
This is the first wave of significant enforcement action since the introduction of the GDPR and it suggests that DPAs are willing to impose substantial fines on businesses that they determine to be in breach of data protection law, regardless of the sectors in which those businesses operate. We anticipate further fines, of a similar or higher value, to be issued in the second half of this year.