ICO fines BA £183m
There are enough articles out there regurgitating the news about the BA data breach which we aren’t going to repeat. For us the message is simple, and let’s make no bones about it, the Commissioner has enhanced powers under DPA 18/GDPR and clearly intends to use them.
Prior to this fine, the record UK fine was a maximum £500,000 which was levied against Facebook and Equifax. The penalty, as we all know, is now up to 4% of turnover so could have been a lot worse for BA than the £183M (representing 1.5% of the company’s 2017 global turnover).
However, this figure is approximately 367 times greater than it would have been under the old DPA and, as BA may argue, only impacted circa 500,000 customers and not their whole database – that’s £367 per customer.
Whilst BA may well contest this fine, one thing is abundantly clear – the Commissioner will be using her increased powers so make sure all organisations have their house in order.
And don’t forget, fines can be levied for administrative and governance failures, not just data security breaches. Are you doing enough in reviewing and implementing appropriate information security and privacy management controls to limit the potential impact to your organisation?