21 October 2020

The ICO delivers its penalty decision to British Airways: a reprieve, but by no means a let-off…

The UK’s Information Commissioner’s Office (“ICO”) has finally issued its decision regarding the fine imposed on British Airways (“BA”) for its 2018 data breach (where data including names, addresses and payment card details of some 500,000 customers was compromised by a cyber-attack). Originally standing at £183.39m, the potential fine was an eye-watering amount that sent shockwaves through organisations doing business in the UK. The final figure has been revealed to be a much lower amount (relatively speaking), albeit still a hefty £20m. 

After all the anxiety of possible fines under the GDPR reaching up to 4% of annual global turnover and the very real threat of such a fine looming over BA, people will be wondering what caused the change in the ICO’s ultimate decision… as it happens, not COVID-19 (see below). In fact (and this will undoubtedly give organisations some comfort to learn), whilst the ICO considered BA’s turnover to be a relevant factor, it does not seem to have been the primary metric for calculating the fine as previously suspected. Below we take a look at some of the main factors taken into account by the ICO when assessing the BA fine, which will hopefully shed some light on how future fines might be calculated by data protection regulators: 

  • whether or not the organisation has financially benefitted from the breach, or misused the personal data – fortunately this was not the case with BA. By contrast, in the CNIL Google case, the French regulator found that Google profited from its misuse of personal data (related to targeted advertising) and so imposed a larger fine totalling €50 million;

  • economic hardship associated with COVID-19 – contrary to initial conjectures, the current pandemic accounted for only a £4m reduction (by no means negligible but not the reason for the overall lowering of the fine). It remains to be seen whether this reduction in the penalty amount will strictly be applied in unprecedented events like COVID-19 or if other external forces affecting markets will also be considered;

  • the nature and duration of the data breach – the ICO regarded the BA breach to be serious on both counts – it is important that organisations frequently monitor and review their security practices for handling personal data, and have a data breach response plan in place that staff are familiar with, so that they can take mitigating actions as swiftly as possible. 

  • what mitigating actions were taken – BA offered immediate support to affected individuals in the aftermath of the breach, including the offer to reimburse financial losses as well as [credit checks], which helped to reduce the fine further;

  • whether all breach notification requirements had been complied with – the ICO stated that BA had acted promptly in notifying it of the breach. Again, having the requisite action plans and training in place is vital to ensure key reporting timelines are met – organisations have 72 hours from becoming aware of a breach to notify the regulator  and must also notify affected individuals without undue delay where they are at significant risk of harm;

  • whether the breach involved “special category data” (i.e. more sensitive personal data such as information about someone’s health, religion, etc.) – such data is given greater protection under data protection laws, so it should not come as a surprise to organisations that the ICO will not look favourably on a breach involving more sensitive data (in the BA case, no sensitive data was compromised);

  • whether the organisation had any previous data protection infringements or had failed to comply with ICO notices – BA had no previous infringements. As ever, this highlights the importance of having your data protection house in order. An organisation not complying with individuals’ rights requests in a timely manner might not elicit too stern a response in the first instance, but such a lapse may well count unfavourably if a more serious infringement occurs further down the line;

  • whether the organisation co-operated with the investigation – the ICO confirmed that BA had co-operated fully. Organisations cannot afford to bury their head in the sand where serious breaches have occurred; full and open co-operation will always be looked upon favourably by regulators and in BA’s case, resulted in a part-reduction of the fine; and

  • whether the organisation is responsible for the breach – whilst BA was found not to have intentionally or deliberately caused the breach (unsurprising given that it was the result of a malicious hack), it was however, still held responsible for not having sufficient technical and organisational safeguards in place. This is in contrast to the data breach concerning Morrisons (where a rogue employee uploaded personal data to the internet) for which the UK’s Supreme Court ultimately found Morrisons not responsible. For BA, however, there were clearly shortcomings in its IT security infrastructure and practices which allowed the breach to occur. 

Over two years since the GDPR’s introduction, the recommendations that flow from the ICO’s decision in this case should now all be familiar territory to organisations handling personal data. It is important to note that the reduction in BA’s fine should not be viewed as a relaxation of the GDPR’s enforcement provisions. Even with all the mitigating factors applied, and whilst £20m is much less than the £183m originally proposed, it still dwarfs the highest amount possible under the previous data protection regime (£500,000). To that end, it remains just as important as ever to ensure your policies, training and practices regarding the handling of personal data are compliant and up to date.

We now wait with interest to see whether the ICO takes a similar approach with Marriott Hotels, which also has an impending data protection fine currently proposed at £100m. 

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Foreign investors seeking acquisition or business expansion opportunities in the UK must, with effect from 11 November 2020, be mindful of new government measures

    13 November 2020

    In the current economic climate, a carve-out of non-core business or assets will often make sense to companies seeking to focus their efforts on their core offering

    11 November 2020

    As of 11 pm on 31 December 2020, the transitional period for the UK’s departure from the EU will end, and EU legislation that has been ‘onshored’ will come into force

    09 November 2020

    Fraud is a clear and present danger in Foreign Invested Enterprises. Curiously, the problems seem to be more severe in WFOEs than JV's In this episode of "China: the Art of Law" KWM Partner Mark...

    02 October 2020

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.