GDPR Lion Roars and Will Probably Bite: Record Penalty Proposed by UK for 2018 British Airways’ Data Breach

On July 8, 2019, the UK Information Commissioner’s Office (ICO) proposed a £183 million ($230 million USD) penalty against British Airways under the General Data Protection Regulation (GDPR) stemming from a 2018 data breach. Those who thought GDPR compliance could be put off because there might be minimal enforcement just received a loud wake-up call.

The proposed penalty arose from an incident in which the Personal Data of approximately 500,000 customers was exposed when those customers were redirected to a fraudulent website. British Airways notified the ICO of the incident in September 2018. The ICO, in its press release, attributed the information compromise to “poor security arrangements at the company, including log in, payment card, travel booking details as well as name and address.”

While the press release did not specify the exact GDPR violations that occurred, they will most probably comprise Article 32 (Security of Processing) and Article 30 (Records of Processing Activities, including policies and procedures), at a minimum.

GDPR covers all organizations that either conduct business with European Union (EU) residents or track the internet behavior of EU residents (i.e., through the use of tracking cookies). In other words, almost every company, wherever it may be, that has a website and markets its goods or services to residents of the 28 EU countries is under the jurisdiction of the GDPR. These companies are subject to penalties and, perhaps worse, adverse publicity and damage to reputation from a GDPR proceeding.

Many companies, especially in the US, had been taking a “wait and see” attitude before commencing a GDPR compliance initiative because they believed there would be no real enforcement of the law. Those organizations now must face the real financial and reputational risk noncompliance can bring as the British Airways penalty, which is the largest to date, is at least the fourth levied so far. More will surely follow. More organizations will also undoubtedly tighten their requirements for their vendors and other business partners to meet GDPR standards in order to secure the business.

If you have questions regarding the status of your organization’s GDPR compliance, please contact Kenneth N. Rashbaum.