Back in 2018, an ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure breached data protection law and, subsequently, BA was the subject of a cyber-attack during , which it did not detect for more than two months.
As a result, in July 2019, the ICO published the intention to fine British Airways ("BA") the amount of GBP 183.39 million pounds for breaches of data protection law.
However, so much has happened since then, including a global pandemic, a looming global recession and a grinding standstill of the travel industry (something that a year ago was unimaginable).
It is therefore comforting that the ICO maintains its pragmatic approach towards compliance and enforcement. Whereas they have imposed their highest fine to date, they seem to have taken into account the current circumstances to reduce the fine quite substantially from the original intention.
The ICO's carrot and stick approach towards compliance is clear from this decision:
- The stick - The ICO takes its job very seriously: When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives, the ICO will use tools it has at its disposal to encourage businesses to make better decisions about data.
- The carrot - The ICO lives in the real world: Whereas they won't accept excuses or poor performance when it comes to compliance, they will consider improvements that are made by organizations and the business circumstances when making a decision.
ICO fines British Airways £20m for data breach affecting more than 400,000 customers.