British Airways are facing a record fine of more than £183 million over a customer data breach. Here are five things to know about the Information Commissioner’s Office (ICO) fine on British Airways:

 

It happened in June 2018

The General Data Protection Regulation (GDPR) came in to force in May 2018 meaning the breach just falls under the new law – otherwise the fine would be capped at £500,000. In some ways, British Airways (BA) just happened to be the unlucky company whose breach fell under the new law – Facebook’s data mishandling took place under the old law and so the Information Commissioners Officer (ICO) could only fine them £500,000.

 

It takes the ICO a long time to investigate a breach

Breaches vary in complication and size – in the case of the BA breach, it’s taken the ICO a year to complete the investigation. The quickest investigation we’ve seen is six weeks. There’s every chance that investigations could continue to take long period of time as the ICO has to learn the new law and understand how to implement it a lot like businesses have to learn how to comply. The enforcement landscape will change though; as the ICO skills up decisions will be made in short time periods and the size of fines will escalate.

 

It’s a lot of money

£183 million is a significant amount of money, but the question is whether it’s a significant fine – it’s only 1.6% of BA turnover and the ICO could go up to 4%. The top end of that percentage bracket is reserved for organisations which maliciously misuse personal data or special category data (e.g. medical and religious data). This implies that while BA have failed to meet the requirements of the law (more on that below) it’s also tried to comply.

 

It’s a matter of T & Os

T & O stands for Technological and Organisational measures – the things an organisation has done, put in place and maintain which keeps the personal data they control or process secure. What T & Os are suitable for one organisation may not suit another – the type of data and the size of the organisation have to be taken in to account. Although the full report on the investigation is yet to be issued by the ICO, they’ve already inferred that T & O failings are why the fine is so high. Every organisation should have, as a minimum, staff awareness training, a comprehensive data map, processor log and policies, plans and procedures in place to protect the personal data it handles (don’t forget staff are people too).

 

What happens next will be critical

The decision by the ICO isn’t the end. In fact, it’s just the beginning. BA have 28 days to reply (appeal) the decision. As the breach affects citizens across the EU, the data protection authorities in the other EU countries can also provide input on the ICO decision.

It also marks the start of a new world where the ICO have the bite behind the bark to punish businesses who fail to comply with the law.