Clearly, BA breached Article 5 of the GDPR rules
It can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches
“Not long after the first anniversary of GDPR coming into force, the ICO has issued the largest ever fine to British Airways for a data breach relating to 500,000 customers.
“Under Article 5 of the GDPR rules, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…and…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (‘integrity and confidentiality).”
“The compromised information in the BA cyber incident included log in, payment card, travel booking, name and addresses. Clearly, BA breached the above Article and the wider GDPR as it failed to properly safeguard personal data that it was entrusted with.
“BA has been issued with a fine amounting to 1.5% of its worldwide turnover in 2017, which far surpasses the previous record fine of £500,000 which Facebook was ordered to pay in the Cambridge Analytica data scandal. The difference in the fines is owed to the change of law between the incidents namely the arrival of GDPR, which allows a maximum fine of up to 4% of annual turnover.
“The penalty is substantial. There are various factors considered when setting the level of the fine which include; the number of people affected and the level of damage suffered, negligent character of the infringement, degree of responsibility of the controller and the categories of personal data affected by the infringement amongst other things. Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty sending a strong message to all data controllers.
“This first large fine would always be hotly contested and in the next 28 days, we should learn more details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account; any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.
“Given the current GDPR guidelines it can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches. Anyone who has not yet taken steps to ensure that they comply with GDPR should revisit what they need to do in the context of their business.”