Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

British Airways issued £20 million fine by ICO for data breach

October 20, 2020By Preiskel & Co

In a significant reduction, the UK Information Commissioner’s Office (the “ICO”), has announced that they have issued a notice of its penalty decision to fine British Airways (“BA”) £20 million.This is different figure from the ICO’s previous notice of intention from July 2019, where BA faced a potential fine of £183.39 million.

The ICO previously ruled that BA had failed to process the personal data of its customers in a manner that ensured appropriate security, in breach of Article 5(1)(f) and Article 32 of the GDPR. This allowed customer payment card data as well as other personal information to be redirected away from BA’s website. BA was made aware of the problem by a third party and notified the ICO on 6 September 2018, but by then the data breach had affected more than 400,000 customers.

The reasoning behind the penalty reduction is set out in the Penalty Notice, where the details of the data breach and BA’s specific failures are enumerated in detail. Despite the initial eye watering figure in the notice of intention, the ICO took into consideration BA’s representations during their decision making process. The Penalty Notice states that due to the nature of the incident, a penalty of £30 million would have been appropriate in principle. However, multiple mitigating factors were to BA’s benefit. These factors included BA receiving no financial benefit from the breach, notifying the ICO promptly, there being no previous infringements relevant to the current breach, and BA having offered to compensate consumers for financial losses suffered as a direct result of the theft of card details. The ICO also stated that BA had cooperated fully with the investigation and noted the improvements that had been made to BA’s IT security since the breach.

These factors led to a 20% reduction of the fine to £24 million, and stated that, “having regard to the impact of the COVID-19 pandemic (on BA and more generally) … a further reduction of £4m is appropriate and proportionate.” This resulted in the final penalty figure of £20 million.

These representations from BA significantly lengthened the decision process, even after the ICO’s initial proposal of a £183 million fine was issued following a nine-month investigation. The Penalty Notice, issued more than a year later, reduces that figure by almost 90%. Other businesses that are facing significant penalties under the GDPR may also seek to also engage in significant representations in the hope of materially reducing any final penalty. However, it is worth highlighting that the mitigation from BA related to their all actions reducing the impact of the breach and were not considered in reducing the initial proposed fine.

This all leads to uncertainty as to the potential scale of any penalty for a data breach that the ICO may issue. Including the consideration companies need to have when reviewing their policies and contractual obligations in light of the 31 December 2020 deadline for the end of the Brexit transition period.

Please contact Jose Saras and Joanna Coombs-Huang if you have any questions relating to data protection policies and procedures.

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1ryesterday
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB2 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm210 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy