header image

British Airways: The First UK Casualty of the GDPR

Alex Evans 8 July 2019
8 July 2019    Alex Evans

Investing in Cyber Resilience: Spend, Strategy, and the Search for Value

Today's fast-changing threat landscape puts increased pressure on companies to make the right investment choices and improve their cyber resilience. For this report, S-RM surveyed 600 senior leaders and IT decision makers to discover which cyber investment areas provide the best value for money and what savings result from investing in cyber security.

Download Report

British Airways GDPR
On 8 July, the UK Information Commissioner’s Office (‘ICO’) announced its intention to fine British Airways for its well publicised 2018 data breach. This is the first proposed enforcement penalty issued by the ICO under the General Data Protection Regulation (‘GDPR’) and, at GBP 183.39 million, amounts to 1.5% of British Airways’ revenue from 2018.

There has been an initial reaction of surprise at the size of the fine, given the generally positive commentary from industry experts at how the airline handled the incident. Notification appears to have occurred within the 72-hour period of the incident being discovered, and there was frequent and transparent communication with customers. So why are the ICO taking a hard stance on this case?

While not a lot of information has been disclosed at present, the main item highlighted in the ICO’s announcement is that their investigation revealed poor security practices at the airline. This is characterised by a dwell time (the amount of time between the attack first taking place and it being discovered) of around three months. This allowed attackers to continue stealing a large amount of personal data, including payment details, while British Airways and its customers remained completely unaware.

Additionally, it’s important to note that while the figure will make for good headlines, the fine is “only” 1.5% of British Airways’ revenue. This is less than half of the maximum penalty that can be issued under the GDPR, which caps at 4% of global turnover. It is, however, a noticeable step up from the previous Data Protection Act penalty structure, where Facebook were issued the maximum GBP 500,000 fine late last year. Under the GDPR, a maximum 4% fine for Facebook would have equated to GBP 1.75 billion.

As alluded to in the ICO’s announcement, and as discussed in our article ‘Reading the Fine Print’ an organisation’s security controls will be closely scrutinised by data protection authorities following a data breach and will be a crucial contributing factor to the calculation of penalties. Implementing effective security controls, to help prevent a breach and reduce the dwell time for incidents, must be a priority for businesses handling personal data. In addition, a well-rehearsed incident response plan is a crucial part of handling the fallout from an incident, and British Airways’ response to their data breach could be the reason they are facing a 1.5% fine rather than something approaching 4%.

This is just the initial announcement of the ICO’s intentions and British Airways have already declared that they will appeal the fine. It will be a long time before the dust settles and this will likely become an important test case for the regulation.

S-RM is a global risk consultancy providing intelligence, resilience and response solutions to clients worldwide. To discuss this article or other industry developments, please reach out to one of our experts.

Roddy Priestly
Roddy priestly Director Email Roddy

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report