British Airways (BA) is likely to face a £183m fine from the Information Commissioner’s Office (ICO) for a serious breach of data protection law.
In 2018, British Airways suffered a major cyber security incident in which the names, addresses and card details of around 500,000 BA passengers were compromised. The ICO found that BA had failed to protect the data from being stolen, and to put in place appropriate measures to keep the personal data secure, as required by data protection law.
The fine would be the largest of its kind, and the first to be issued by the regulator in the UK since the introduction of the General Data Protection Regulation (GDPR) in May 2018. Prior to the implementation of GDPR, the ICO’s ability to fine businesses was capped at £500,000, however under the new rules it is able to issue fines up to €20m or four percent of worldwide turnover, whichever is greatest. The fine is calculated as 1.5 percent of BA’s global turnover.
The fine has not yet been issued as the ICO must first issue a ‘notice of intent’ to BA so that it may make final representations.