The UK’s supervisory authority, acting as case lead on behalf of other EU Member States, has today released its notice of intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR). The breach in question was notified to the ICO in September 2018 and is believed to have compromised the personal data of approximately 500,000 customers during the course of several months in 2018. The affected personal data includes names, email addresses, credit card information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards.
The ICO’s investigation found that the information had been compromised by “poor security arrangements”. Security and safety of personal data is one of the key drivers behind the GDPR and it is therefore unsurprising that we are starting to see supervisory authorities exercising their powers under the GDPR in such a way based on a lack of effective security. Information Commissioner Elizabeth Denham said: “When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” This should be a warning to all organisations that security of personal data is vital, and even when the personal data is compromised due to third party criminal activity, the responsibility of securing the personal data still ultimately lies with the organisation processing the personal data: organisations must be vigilant at securing against such a risk to the best of its abilities.
What happens next? British Airways has 28 days to appeal. Willie Walsh, Chief Executive of IAG (owner of British Airways), has confirmed it will be appealing the decision and taking “all appropriate steps to defend the airline's position vigorously”. The ICO will then consider the representations made by British Airways and make its final decision.
Whilst it is impossible to know at this stage how useful the representations will be for British Airways in potentially reducing its financial penalty, the record fine is the largest imposed by the ICO under the new rules to date. The UK regulator has made its intentions clear – it is willing to act and use the powers it has in an impactful way.
Today’s announcement undoubtedly marks a turning point: it is the start, an indication, of things to come as regards data breaches and enforcement actions.