ICO announces intention to issue record fine for BA data breach
Coming in at approximately 1.5% of the airline’s global 2017 turnover, this is certainly a figure to make businesses sit up and take notice.
Despite the ICO’s previous reassurances that it is not looking to impose unduly punitive fines, this sends a clear message to organisations, particularly household names with significant resources, that the ICO is not afraid of significantly stepping up the level of fines from the pre-GDPR maximum of £500,000.
The notice of intention is a strong reminder that the GDPR is not just about demonstrating compliance as at 25 May 2018. Data protection and security obligations are ongoing and businesses should regularly audit their security measures to ensure that they remain effective and compliant and should be ready to mobilise and respond to breaches as soon as they occur.
BA now has 28 days in which to make representations before the ICO issues its final monetary penalty notice and the organisation has already announced its intention to appeal.
The ICO will need to consider whether the proposed level of fine, taking into account BA’s representations, is effective, proportionate and dissuasive. Whatever the final figure, this first major test case for GDPR fines in the UK shows that security and data protection compliance are not matters to be taken lightly.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.
Get in touch
%20%C3%94%C3%87%C3%B4%20790px%20X%20451px%2072ppi13.jpg)
Insights & events
Cyber Security and Resilience Bill Explained | TLT
AI and the future of payments: Five Big Questions with Dave Gardner
Agentic AI and Data - Five big questions with Emma Erskine-Fox
Managing the hidden cyber security risks within your supply chain
What's mine is yours: when information is held on behalf of another under FOIA
Emerging approaches to the regulation and enforcement of AI use
Fortifying defences: ICO publishes new report on common information security mistakes and pitfalls
Employee monitoring - recent developments and enforcement decisions
Auctioning of personal data for advertising purposes: CJEU confirms rules under the GDPR
Biometric data and the impact of the ICO's latest Enforcement Notice
The results are in... The European Data Protection Board's report on the role of Data Protection Officers
Retail Agility: Navigating the AI frontier in retail
Impact of flexible working on towns and cities - the market and legal considerations
Plugging into electric vehicle opportunities | Whitepaper
TLT shortlisted for two awards at the PICCASO Privacy Awards Europe 2023
TLT hires data protection and financial services specialist as partner
TLT partner nominated for top prize at the PICCASO Privacy Awards
TLT Partner Appointed Chair of North West Fraud Forum | TLT
TLT Shortlisted for Firm of the Year at Scottish Legal Awards | TLT
TLT Wins Law Firm of the Year at Manchester Legal Awards | TLT
TLT Recognised for Two Awards at The Lawyer Awards 2022 | TLT
TLT Shortlisted for Two Manchester Legal Awards 2022 | TLT
TLT enhances public sector offering with partner hire
Retail IT systems straining to keep pace with heightened demand
A quarter of retailers say data and analytics isn't important to their business
TLT appointed to sports and arts legal services panel
Claire Graham joins board of North West Fraud Forum
TLT launches Intelligent Drafting solution powered by Clarilis
TLT continues to build data team with senior hire in London
Scale‑Up Insights Podcast: Getting to Grips with Data | TLT
