The Information Commissioner’s Office (ICO) has informed British Airways and its parent company, International Airlines Group (IAG), that it plans to issue a record fine of £183.39 million following a sizeable breach of the General Data Protection Regulation (GDPR).
The fine, which will eclipse the previous record of Google’s £44 million penalty, relates to a cyber-attack last year. The data breach saw website users directed to a fraudulent site, where customer details were harvested. In total, over 500,000 customers were affected with login, payment card, and travel booking details as well as name and address information all compromised.
Explaining the proposed fine, Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
While BA Chairman, Alex Cruz says he is “surprised and disappointed” by the decision, Willie Walsh, Chief Executive of IAG commented:
“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Whilst the fine is the equivalent of 1.5% of BA’s worldwide turnover in 2017, it could be far worse with a maximum fine of 4% of annual global turnover available to the ICO.
Jade Greenhow, Operations Director at Insight Data comments:
“This record fine clearly shows the ICO will not stand by as businesses brazenly disregard GDPR compliance. As proven by Google, Facebook and countless other businesses both large and small, you simply cannot fly under the radar or avoid taking the necessary precautions to protect personal data.
“It’s a message the window industry needs to hear as many think they are too small to avoid the cross hairs of the ICO. In fact, it’s never been so important to ensure your business complies. At Insight Data, we work with businesses across the supply chain to provide a cost-effective and compliant solution which allows them to stay on the right side of GDPR, whilst still effectively marketing to prospective customers.”