The Information Commissioner's Office (ICO) issued the penalty this week for a data breach that compromised 500,000 BA customers. Businesses have waited since 25 May 2018 to get an idea of the possible size of General Data Protection Regulation (GDPR) fines.
BA has said it will make representations to the ICO about the size of the proposed fine and intends to appeal.
David White, commercial and IP associate at Rollits, said the fine ‘demonstrates that the ICO is not afraid to use the weapons at its disposal to hammer home the importance of data protection.
‘Any organisation that has ignored to its data protection responsibilities, or seen data protection compliance as a “tick-box” exercise, should take stock: the gloves are off.’
The BA fine represents about 1.5% of its annual worldwide turnover. Under the GDPR, organisations can be fined up to 20 million euros or 4% of annual worldwide turnover for a serious breach, whichever is highest, and 10 million euros or 2% of annual worldwide turnover for a less serious breach. This is considerably higher than the maximum £500,000 fines possible under the Data Protection Act.
Raoul Parekh, partner at GQ|Littler, said: ‘The first GDPR fine is the display of shock and awe that many feared.
‘Politicians and pressure groups have been lobbying for heavy penalties and it seems they have listened. The ICO has used its first announcement of intention to fine as a major deterrent to ensure businesses take GDPR extremely seriously.
‘British Airways has acted very responsibly since the breach was discovered, notifying the ICO and co-operating with the regulator to fix the issues and repair the damage. For the ICO, though, businesses need prevention and not just cure if they are to avoid fines.’