It emerged in the news today that the ICO intends to fine British Airways £183m for a breach of its security systems where hundreds of thousands of customers' details (including credit card information) were stolen by website hackers in 2018.   

Data protection regulators in the EU can impose a fine of up to 4% of worldwide turnover or 20 million euros (whichever is greater) for breaches of the GDPR.  This is amongst the first of such penalties imposed by the ICO under the new GDPR regime and is significant because to date, we have had no real idea of how the ICO would exercise its powers to impose fines for breaches.  

The fine on BA amounts to 1.5% of its worldwide turnover and this will have a major impact on its bottom line and is the largest fine ever imposed in the UK so far.  Previously, the largest fine was for £500,000 (the maximum fine possible under the previous Data Protection Act) levied against Facebook for the Cambridge Analytica scandal.  BA reportedly had poor security arrangements and with fines reaching eye watering levels businesses, especially those which are consumer facing, should take this as a warning.  

If they have not already done so, businesses should review the adequacy of their security systems particularly where personal data of a particularly sensitive nature are processed.  This should include a full review of internal response procedures for security incidents.  The other significant point is that BA claims that no fraudulent activity has been reported by any of the individuals whose personal data has been compromised and it is interesting to note that the fine has been levied despite no evidence of actual harm.  Whether this decision by the ICO against BA is a sign of things to come, we will have to wait and see.