In July 2019 the Information Commissioners Office announced an intention to fine BA £183M for infringements of the GDPR. Around 400,000 users of the BA website had been diverted to a fraudulent site where the customers' login, payment and travel details were harvested. The breach was not discovered until 2 months later.
The ICO considered that BA's security measures were inadequate and proposed the largest ever fine, albeit well below the maximum fine that could have been imposed. It not only reflected the seriousness of the specific breach but sent a message to large corporates that, unless they paid close attention to data privacy, they could expect very tough enforcement measures for breaches.
Since then, BA has taken steps to improve the security of the data obtained via its website and has cooperated with the ICO, while challenging the size of the proposed fine.
The ICO has today announced that the fine actually imposed is £20M. This is obviously a very welcome reduction in BA's liability at a time when its business has been decimated by the coronavirus. It also reflects the benefit of swift action to remedy a breach (so far as possible) and close cooperation with the ICO.
Nevertheless, it is still the largest fine confirmed by the ICO, reinforcing the fundamental importance of GDPR compliance.
"It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures,"