In the first penalty levied since the General Data Protection Regulation (GDPR) went into effect, British Airways faces a record £183 million fine for a 2018 data breach that affected 500,000 customers. The fine is equal to 1.5% of British Airways’ worldwide revenue in 2017, which is less than half of the possible maximum fine of 4% of annual sales.
In announcing the fine, the Information Commissioner’s Office said that customers’ log in, payment card, travel booking, name, address, and other details were compromised by British Airways’ poor security.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well as the name and address information.
Information Commissioner Elizabeth Denham said:
People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights
What does this mean for marketers?
GDPR enforcement has been slow to ramp-up, but with this high-profile penalty, it’s clear that the EU’s Information Commissioner’s Office will impose the stiffest penalties that the GDPR affords,” says Brian Sullivan, Strategy Director of Email Deliverability Services at OMC Consulting. “With this BA breach penalty, brands are on notice that GDPR compliance is critical and that breaches won’t be tolerated.