The Information Commissioner’s Office is set to issue a fine of over £180 million following a breach of the new GDPR regulations.

 

Following an investigation into a data breach that occurred between June and September 2018, the Information Commissioner’s Office has announced its intention to fine British Airways the princely sum of £183.39 million. This is the biggest penalty to be handed out by the ICO and the first published decision under the new rules which came into force last year.

Hackers took advantage of weak security arrangements to divert traffic from the BA website to a fraudulent site where they were able to obtain details of customer log-ins, names and addresses, payment cards (including their CVC number) and travel details relating to around 500,000 customers.  Understandably, the ICO was not amused. Speaking in forthright terms, Elizabeth Denham, the Information Commissioner, commented:

“People’s personal data is just that personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience….”

BA (which cooperated fully with the ICO and which has since updated its website security) now has an opportunity to make representations regarding the proposed fine. But given that this case was brought under the current Data Protection legislation, it shows the ICO’s determination to crack down hard on poor data security. Business owners should be under no illusion; the ICO are not only targeting large corporations. The Information Commissioner has stated further that “when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from [my] office to check that they have taken appropriate steps to protect fundamental privacy rights.”

It is clear therefore that, should a data breach occur, the ICO will expect to see what steps are being taken to protect individuals’ privacy rights. If you have not already done so, a review of your data security systems and your internal policies could pay ample dividends, and also reduce or remove the processing of unnecessary personal data.