The Information Commissioner's
Office (ICO) issued the penalty this week for a data breach that compromised
500,000 BA customers. Businesses have waited since 25 May 2018 to get an idea
of the possible size of General Data Protection Regulation (GDPR) fines.
BA has said it will make
representations to the ICO about the size of the proposed fine and intends to
appeal.
David White, commercial and IP
associate at Rollits, said the fine ‘demonstrates that the ICO is not afraid to
use the weapons at its disposal to hammer home the importance of data
protection.
‘Any organisation that has ignored
to its data protection responsibilities, or seen data protection compliance as
a “tick-box” exercise, should take stock: the gloves are off.’
The BA fine represents about 1.5%
of its annual worldwide turnover. Under the GDPR, organisations can be fined up
to 20 million euros or 4% of annual worldwide turnover for a serious breach,
whichever is highest, and 10 million euros or 2% of annual worldwide turnover
for a less serious breach. This is considerably higher than the maximum
£500,000 fines possible under the Data Protection Act.
Raoul Parekh, partner at
GQ|Littler, said: ‘The first GDPR fine is the display of shock and awe that
many feared.
‘Politicians and pressure groups
have been lobbying for heavy penalties and it seems they have listened. The ICO
has used its first announcement of intention to fine as a major deterrent to
ensure businesses take GDPR extremely seriously.
‘British Airways has acted very
responsibly since the breach was discovered, notifying the ICO and co-operating
with the regulator to fix the issues and repair the damage. For the ICO,
though, businesses need prevention and not just cure if they are to avoid
fines.’
