In a statement of July 8, 2019 the ICO has issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR) following an extensive investigation:

“ The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”

British Airway is “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO) .

It could be expected that after consultation of the other supervisory authorities the fine will be slightly reduced by the ICO. The ICO states that British Airways is cooperating with the ICO which could be a good reason to reduce the fine. Important in that respect is that British Airways has made improvement to its security arrangements in the meantime as well. Relevant seems to me as well the fact that Britisch Airways is prepared to pay damages and seriously seems to  try to limit damages for the data subjects involved. British Airways will also have the opportunity to make representations and to protest against the intention of the ICO to fine Britisch Airways.

In the Netherlands the Dutch Data Protection Authority has developed its own policy in this respect.

The basic fines can be increased or reduced, depending on the relevant factors of this policy. These relevant factors are:

1. The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
2. The deliberate or careless nature of the infringement.
3. The measures taken by the controller or the processor to limit the damage to the data subjects involved.
4. The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR.
5. Previous infringements, where relevant, by the controller or the processor.
6. The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
7. The categories of personal data affected by the infringement.
8. The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
9. In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
10. Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
11. Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.

Exciting times for British Airways and again a serious warning for companies not taking the GDPR seriously.