Until now, the largest penalty ever imposed under data protection laws was on Facebook, which was a fine of £500,000 for its role in the Cambridge Analytica Scandal. At the time, that was the maximum that was allowed.
However, since, the GDPR came into effect last year, companies can be charged 4% of their annual turnover, or 200 million euros – whichever is greater. This has been the biggest shake-up of data protection and privacy in decades.
It’s estimated that, so far around 56 million euros worth of fines have been issued to firms that haven’t complied with GDPR. Facebook has faced eleven investigations, and British Airways is the latest company to be facing a record fine of over 200 million euros for a security breach.
British Airways, which is owned by IAG, is liable to a penalty of 1.5% of its global turnover. Since the new rules were introduced in 2018, this is the first case that’s been made public.
In a statement, the company said that hackers were responsible for the “sophisticated, malicious criminal attack” on its website and that it is “surprised and disappointed” with the outcome of the case.
According to the ICO, the data breach affected around 500,000 customers. Their details were collected by hackers after they had been redirected to a fraudulent site. This was disclosed in September last year.
BA noted said that the data didn’t include passport or travel details. They did, however, say that other information, including login details, card information, name and address could be at risk.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”