5 thoughts on the BA ICO (intention to) fine
08/07/192. The ICO's earlier off-the-cuff line about 'not adding zeroes to earlier fines' may not be quite right... £183m, if issued, is a step change. Whilst the easy number to remember with GDPR was 20m Euros, the wording of the legislation allows the maximum fine to be up to 4% of global turnover, if higher. The proposed fine here is, I think, about 1-2% of BA's turnover, which is about £12bn. For high turnover, low margin businesses (or the public sector) this is a risk - although 'ability to pay' and 'knock on effects' are factors the ICO will take into account in setting the penalty.
3. ...but per affected data subject, the proposed fine is not so far removed from some earlier action (about £366 per person here, based on 500,000 data subjects). There were about half a million affected data subjects. Some high-impact incidents under the 'old' regime attracted far higher fines per affected data subject (for instance GMP losing some unencrypted DVDs of interviews with victims of crime). The BA incident was high volume/low potential impact in the great scheme of things - whereas GMP was low volume/high potential impact. A change in the regulatory regime from GDPR is better able to address such situations for large businesses engaging with lots of individuals.
4. Prevention will remain better than cure. I wonder how much BA spend on its cyber security position relative to £183m. An organisation that can show it has made heavy investment may influence the ICO's thinking at the investigations stage.
5. It isn't over yet. As regards the proposed fine, there is now a window for formal representations, and BA can then appeal against any eventual fine. Meanwhile, a class action suit is also in the offing - with some suggestions to the value of £500m (and accepting the fine will open the door wider on this). I think this case will also be a practice run for the ICO for their future GDPR enforcement strategy.
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
https://ico.org.uk/about-the-ico/news-and-events/news-and-b