Tips from URM – Reviewing and Implementing Management Controls
ICO fines BA £183m
There are enough articles out there regurgitating the news about the BA data breach which we aren’t
going to repeat. For us the message is simple, and let’s make no bones about it, the Commissioner has
enhanced powers under DPA 18/GDPR and clearly intends to use them.
Prior to this fine, the record UK fine was a maximum £500,000 which was levied against Facebook and
Equifax. The penalty, as we all know, is now up to 4% of turnover so could have been a lot worse for BA
than the £183M (representing 1.5% of the company’s 2017 global turnover).
However, this figure is approximately 367 times greater than it would have been under the old DPA and,
as BA may argue, only impacted circa 500,000 customers and not their whole database – that’s £367 per
Whilst BA may well contest this fine, one thing is abundantly clear – the Commissioner will be using her
increased powers so make sure all organisations have their house in order.
And don’t forget, fines can be levied for administrative and governance failures, not just data security
breaches. Are you doing enough in reviewing and implementing appropriate information security and
privacy management controls to limit the potential impact to your organisation?