Information Commissioner’s Office (ICO) announces its intention to fine British Airways for a data breach under GDPR

The ICO have just published its Notice of Intent to fine British Airways £183.39 million for infringements of the security principle of GDPR. The breach was disclosed by the airline back in  September 2018.

While the ICO has merely published its intention and no actual fine has been imposed, the fact that the ICO has published a Notice of Intent suggests that it has enough evidence of the breach to keep British Airways on the hook.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, as well as the name and address of customers.

Key takeaways based on what we know so far:

1. Organisations should take appropriate measures to ensure GDPR compliance. There is no one-size-fits-all solution.
2. The regulatory process takes time. It has taken nearly 10 months for the ICO to publish its Notice of Intent.
3. Co-operation helps. The ICO said that British Airways has cooperated with its investigation and has already made security improvements following the breach. Under GDPR, the ICO can fine organisations up to 4% of their annual global revenue. Based on the Notice of Intent, the suggested fine would only be 1.5% of British Airway’s global turnover in 2017.

In other events this week, King’s College London have notified the ICO that it has breached GDPR by unlawfully sharing sensitive personal data about politically active students and staff with the Metropolitan Police. This was detected following a review carried out by an independent higher education consultant who found that none of these individuals had been a part of a disciplinary process or found guilty of violating the policy or regulations of King’s College London. The university is now working on a plan to implement the review’s recommendations.

VinciWorks’ job-specific GDPR refresher training

Compliance with the General Data Protection Regulation (GDPR) is an ongoing process. Best practice for compliance training is to enrol staff in a new GDPR course around once a year, rather than simply asking them to take the same course. Fully interactive, VinciWorks’ new customisable GDPR refresher course combines short bursts of learning with practical scenarios and real-life examples to ensure all staff know how to safely and securely work with data. Staff in roles that require advanced training, such as HR, IT and marketing, can choose to take job-specific modules.