Upgrade to Chrome Upgrade to Firefox Upgrade to Internet Explorer Upgrade to Safari
Legal News | 10.07.19

Information Commissioner’s Office Issues Record Fine

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It was the biggest shake up of data protection in 20 years, with the aim of tightening how businesses gather and use personal data. The GDPR was passed into the laws of United Kingdom by Data Protection Act 2018.

Part of the new rules increased the enforcement powers of the Information Commissioners Office (ICO). The maximum fine which can be awarded by the ICO for a breach of the GDPR is now €20 million or 4% of the businesses worldwide turnover. Most businesses are now aware of the risks of data breaches.

On 8th July 2019 the ICO issued a notice of its intention to fine British Airways £183.39 million due to the breach of their security systems which infringed the GDPR. In September 2018 the ICO were notified of a cyber-incident. The attackers diverted customers from British Airways site to a fake site, allowing them to harvest customer details. The ICO reports that approximately 500,000 customers were victims of the attack, which is believed to have begun in June 2018.

This decision is something which businesses must sit up and take note of, as it is the first very substantial fine to be issued by the ICO since the GDPR come into force. The fine issued to British Airways represents approximately 1.5% of its worldwide turnover in 2017. Until now the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytics scandal in October 2018. This was the maximum fine under the data protection law prior to the changes.

British Airways has 28 days to appeal the decision and it has already announced its intention to do just that. The ICO will need to consider the proposed fine, taking into account any representations made by British Airways.

What this shows is that the ICO is not afraid to utilise the additional powers it has been given under the new laws. It is the responsibility of businesses to adapt in the evolving world of technology to equipped itself with the correct tools including cybersecurity. This is a reminder to all businesses that their responsibility is continued compliance and not demonstrating compliance as at 25 May 2018.

Emma Jewell is a solicitor in the Commercial team at Wansbroughs in Devizes. She advises clients on a broad range of commercial and corporate matters, including data protection. To discuss the matters raised in this article or any commercial or corporate queries, please contact her on 01380 733300 or at emma.jewell@wansbroughs.com.

Last updated 10/07/2019