ICO set to fine British Airways £183.39m under GDPR

Published on Monday, July 8, 2019 - 11:54 by Camilla Winlo

The ICO has today announced its intention to fine British Airways £183m – or 1.5% of their annual global turnover – for losing personal data belonging to 500,000 customers in 2018. This is the first fine the ICO has announced under GDPR and proves that the ICO has a stick as well as a carrot.

While the fine is not yet confirmed – British Airways is certain to appeal – the airline has already been hit by reputational damage and the management distraction involved in the appeal will be significant. At the time of writing, parent IAG’s share price is down 5.30 points and stories about the potential fine are at the top of the investor news feed. As always, the fine is only a small part of the financial impact of a data breach.

Fundamentally, the British Airways breach was the result of poor Data Protection by Design and Default practices. Their cybersecurity arrangements simply weren’t sufficient to protect the personal data they collected, which included log in, payment card, travel booking and home address details. The harms that can arise from unauthorised access to these kinds of information are obvious – most obviously, a malicious actor accessing this information knows where you live, and when you won’t be there.

European data protection authorities are clear – if organisations can’t appropriately protect personal data, they cannot collect and process it. But a combination of silo thinking and the inherent conflict between business drivers and the rights of data subjects make it very difficult for most organisations to establish whether they have met the threshold of ‘appropriate protection’ until it’s too late.

DQM GRC has developed a two-day training course that is specifically designed to help organisations with this. It goes beyond the ‘hard’ technical requirements of Data Protection by Design and Default to explore the ‘soft’ communication and project management skills that give organisations confidence in their data protection practices. At the end of the course, participants have a list of immediate actions they can take themselves, and senior managers have a list of business challenges to address. Optional additional days can start to add role-based capability.

Any organisation can come to the attention of the regulator. But just two days of training can reduce the chance of you being next.

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail