To relax. To pay. British Airways faces the first post-GDPR fine.

Back to HubNext ArticlePrevious Article

To relax. To pay. British Airways faces the first post-GDPR fine.

To share this article:


The ICO announced on 8 July 2019 that it intends to fine British Airways £183.39m for infringing the General Data Protection Regulation (GDPR).

Previously, the highest penalty imposed by the ICO has been £500,000 to Facebook following the Cambridge Analytica data scandal – the maximum limit pre-GDPR. Following GDPR, the maximum penalty is 4% of global turnover or €20m, whichever is greater. The BA fine represents 1.5% of its global turnover in 2017. 


In September 2018, British Airways reported to the ICO that since June 2018, customers had been diverted from its legitimate website to a fraudulent site and had their card payment details harvested as a result. The ICO investigated and subsequently found that lax security arrangements had contributed to the loss of BA customers’ personal data.


Information Commissioner Elizabeth Denham said: “…the law is clear – when you are entrusted with personal data, you must look after it.”


We strongly advise our clients:

  • to put in place security measures and policies that protect the data with which you have been entrusted in a manner which is appropriate to its sensitivity, the risks to data subjects if it is lost or destroyed and the scale or your business or organisation’s use of personal data;
  • to ensure you have the ability to detect security breaches as soon as possible; and
  • to report any major breaches to the ICO within the statutory 72-hour limit, even if full details of the breach are not yet known. A log should be kept of all breaches, major and minor.


Contact our data protection specialists, Ian Lindley and Victoria Jessup, to see how we can help.

The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. PDT Solicitors LLP accepts no responsibility for the content of any third party website to which this webpage refers.

Back to HubNext ArticlePrevious Article

Related Content

PDT Solicitors Accredited and Award Winning


This site uses cookies.

Some of these cookies are essential, while others help us to improve your experience by providing insights into how the site is being used.

Necessary Cookies

Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.

Analytical Cookies

Analytical cookies help us to improve our website by collecting and reporting information on its usage.