In the first of the anticipated big fines imposed under the new data protection laws that came into force in May 2018, the ICO has issued a notice of intention to fine British Airways a record £183.39M for infringements of the General Data Protection Regulation (GDPR). British Airways now has the opportunity to make representations to the ICO in relation to the proposed fine prior to a final decision being made, not least on the basis that the company claims to have found no evidence of fraudulent activity on accounts linked to the breach.
The ICO’s investigation surrounded a cyber incident which involved user traffic to the British Airways website being diverted to a fraudulent site and resulted in the personal and financial information of approximately 500,000 customers being compromised. The investigation found that a variety of information was compromised due to poor security arrangements including log in, payment card, travel bookings, names and addresses.
Prior to the GDPR, under the Data Protection Act 1998, the maximum fine that could be imposed by the ICO for breach of data protection obligations was £500,000 and therefore this fine represents a stern wake up call for all organisations as to how seriously the ICO will be treating breaches of the GDPR. Under the GDPR, the maximum fine is 20 million Euros or 4% of worldwide turnover whichever is greater, with the British Airways fine representing 1.5% of its 2017 global turnover.
The ICO’s position in relation to the appropriate steps that all organisations must put in place to ensure that the personal data they hold on their customers and employees remains safe is now clear. As Information Commissioner, Elizabeth Denham said:
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”
All businesses and organisations therefore need to ensure that they are complying with their data protection obligations as it is not just the fines that can have an impact on a business but also the reputational damage, the cost of correcting the issue and the legal costs in dealing with and defending any claims brought by data subjects for breach of their data protection rights.
If you require any advice in relation to your data protection rights and obligations, particularly in relation to employees’ personal data, please contact Julie Edmonds, Head of Employment by email: firstname.lastname@example.org,or by telephone 0207 644 7286 or contact her on LinkedIn.