To relax. To pay. British Airways faces the first post-GDPR fine.

Previously, the highest penalty imposed by the ICO has been £500,000 to Facebook following the Cambridge Analytica data scandal – the maximum limit pre-GDPR. Following GDPR, the maximum penalty is 4% of global turnover or €20m, whichever is greater. The BA fine represents 1.5% of its global turnover in 2017. 

 

In September 2018, British Airways reported to the ICO that since June 2018, customers had been diverted from its legitimate website to a fraudulent site and had their card payment details harvested as a result. The ICO investigated and subsequently found that lax security arrangements had contributed to the loss of BA customers’ personal data.

 

Information Commissioner Elizabeth Denham said: “…the law is clear – when you are entrusted with personal data, you must look after it.”

 

We strongly advise our clients:

• to put in place security measures and policies that protect the data with which you have been entrusted in a manner which is appropriate to its sensitivity, the risks to data subjects if it is lost or destroyed and the scale or your business or organisation’s use of personal data;
• to ensure you have the ability to detect security breaches as soon as possible; and
• to report any major breaches to the ICO within the statutory 72-hour limit, even if full details of the breach are not yet known. A log should be kept of all breaches, major and minor.

 

Contact our data protection specialists, Ian Lindley and Victoria Jessup, to see how we can help.