Shorter Reads

British Airways facing record GDPR fine

British Airways is today facing a record fine of £183m for a data breach in June 2018, one month after the GDPR came into force.

1 minute read

Published 8 July 2019

Authors

Share

Key information

  • Specialisms
  • Business
  • Services
  • Data Protection

The fine represents 1.5% of its 2017 worldwide turnover, and whilst below the maximin possible 4% fines represents the largest single fine handed down by the Information Commissioner’s Office (ICO).

Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “The first anniversary of the GDPR passed on 25 May and we are only now seeing the ICO beginning to issue fines on breaches they have been investigating for several months.  If businesses were feeling complacent about their GDPR obligations, thinking that nothing was going to happen, this record fine should serve as a wake-up call.

“We were expecting the ICO to hand down some pretty hefty fines to coincide with the first GDPR anniversary and it has now started to do so.  The ICO has shown that it takes its regulatory responsibilities protecting the interests of data subjects very seriously and also that it wants businesses to work hard to comply.

“The fine imposed on British Airways may be the first, but it will not be the last: several large commercial and public sector entities will all be in the ICO’s spotlight.”

Businesses faced with a data breach are reminded that they must:

  • Investigate to establish whether a breach has occurred and its likely impact.
  • Breaches affecting the rights and freedoms of individuals need to be addressed immediately.
  • If such a breach is confirmed it must be reported to the ICO within 72 hours.
  • Your data protection team must then take all necessary steps to stop it continuing and:
    • Establish how the breach occurred
    • Investigate the extent of the information breached
    • Determine the consequences of breach
    • Outline measures to prevent further breaches
  • Determine then whether specialist legal and crisis management advice is needed
  • Review your current data and cyber security arrangements.
  • If appropriate, disclose the data breach to those affected and wider stakeholder. Full disclosure and reassurance about the corrective steps being taken is often the best policy.
  • Do not forget to notify ICO within 72 hours.

Patrick Wheeler is available for interview.  He can be reached by email: Patrick.wheeler@collyerbristow.com.

Message us on WhatsApp

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

British Airways facing record GDPR fine

British Airways is today facing a record fine of £183m for a data breach in June 2018, one month after the GDPR came into force.

Published 8 July 2019

Associated sectors / services

Authors

The fine represents 1.5% of its 2017 worldwide turnover, and whilst below the maximin possible 4% fines represents the largest single fine handed down by the Information Commissioner’s Office (ICO).

Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow said: “The first anniversary of the GDPR passed on 25 May and we are only now seeing the ICO beginning to issue fines on breaches they have been investigating for several months.  If businesses were feeling complacent about their GDPR obligations, thinking that nothing was going to happen, this record fine should serve as a wake-up call.

“We were expecting the ICO to hand down some pretty hefty fines to coincide with the first GDPR anniversary and it has now started to do so.  The ICO has shown that it takes its regulatory responsibilities protecting the interests of data subjects very seriously and also that it wants businesses to work hard to comply.

“The fine imposed on British Airways may be the first, but it will not be the last: several large commercial and public sector entities will all be in the ICO’s spotlight.”

Businesses faced with a data breach are reminded that they must:

  • Investigate to establish whether a breach has occurred and its likely impact.
  • Breaches affecting the rights and freedoms of individuals need to be addressed immediately.
  • If such a breach is confirmed it must be reported to the ICO within 72 hours.
  • Your data protection team must then take all necessary steps to stop it continuing and:
    • Establish how the breach occurred
    • Investigate the extent of the information breached
    • Determine the consequences of breach
    • Outline measures to prevent further breaches
  • Determine then whether specialist legal and crisis management advice is needed
  • Review your current data and cyber security arrangements.
  • If appropriate, disclose the data breach to those affected and wider stakeholder. Full disclosure and reassurance about the corrective steps being taken is often the best policy.
  • Do not forget to notify ICO within 72 hours.

Patrick Wheeler is available for interview.  He can be reached by email: Patrick.wheeler@collyerbristow.com.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (no calls)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.