When the General Data Protection Regulation (GDPR) came into force on May 25, 2018 it was the biggest shake up of data protection in 20 years, with the aim of tightening how businesses gather and use personal data.
The GDPR was passed into the laws of United Kingdom by Data Protection Act 2018.
Part of the new rules increased the enforcement powers of the Information Commissioners Office (ICO). The maximum fine which can be awarded by the ICO for a breach of the GDPR is now €20 million or four percent of the business's worldwide turnover. Most businesses are now aware of the risks of data breaches.
On July 8 this year the ICO issued a notice of its intention to fine British Airways £183.39 million due to the breach of their security systems that infringed the GDPR.
In September 2018 the ICO were notified of a cyber-incident. The attackers diverted customers from British Airways site to a fake site, allowing them to harvest customer details. The ICO reports that approximately 500,000 customers were victims of the attack, which is believed to have begun in June 2018.
This decision is something which businesses must sit up and take note of, as it is the first very substantial fine to be issued by the ICO since the GDPR come into force.
The fine issued to British Airways represents approximately 1.5 percent of its worldwide turnover in 2017.
Until now the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica scandal in October 2018. This was the maximum fine under the data protection law prior to the changes.
British Airways has 28 days to appeal the decision and it has already announced its intention to do just that. The ICO will need to consider the proposed fine, taking into account any representations made by British Airways.
What this shows is that the ICO is not afraid to utilise the additional powers it has been given under the new laws. It is the responsibility of businesses to adapt in the evolving world of technology to equipped itself with the correct tools including cybersecurity.
This is a reminder to all businesses that their responsibility is continued compliance and not demonstrating compliance as at May 25, 2018.