The Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, today announced that it has provisionally determined that British Airways (BA) must pay a substantive fine for breach of the GDPR, in relation to a data breach that BA suffered in June 2018. The reports state that the incident in part involved user traffic to the BA website being diverted to a fraudulent site, as a result of which customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident.
The details of how the penalty was calculated have not been published, but observers note that the £183.39M figure proposed by the ICO represents precisely 1.5% of BA’s FY2017 global turnover (£12,226M) – although interestingly this is BA’s turnover, rather than the composite turnover of IAG, the group of which BA is part.
Breach of Article 32 GDPR, which is the provision requiring data controllers to maintain “appropriate” measures, is (oddly) in the lower penalty bracket, so the maximum fine that can be charged is €10M or 2% global turnover – whichever is higher. So a penalty calculated on the basis of 1.5% turnover is not far off the maximum that could be imposed.
It’s important to note that this is a provisional figure – a statement of intent by the ICO. BA have the opportunity to respond to the proposal and identify reasons it should be lowered, such as levels of culpability, co-operation etc. And of course, even once the ICO fixes the amount, BA can still appeal it. So it may go down, but the fact that the ICO is talking in these terms suggests that it is flexing its muscles and is not afraid to hit large corporations to force them to take their privacy responsibilities seriously.
