On 8 July 2019, the UK’s Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183.39m ($230M) under the General Data Protection Regulation (GDPR) for a breach that occurred from 21 August through 5 September 2018. During this breach the personal data of approximately 500,000 customers was stolen. The proposed penalty represents the largest fine of a company since GDPR came into force. The fine is approximately 367 times larger than the previous (pre-GDPR) record ICO fine of £500,000 imposed on Facebook for the Cambridge Analytica scandal.
The proposed ICO penalty, while a record amount, is still less than the maximum 4% of turnover allowed by the GDPR. Nonetheless, despite the noted cooperation of BA with the ICO, the fine is the largest ever imposed by a regulatory agency. BA has 28 days to appeal this decision, and is in the process of preparing representations to the ICO.
ACA Aponix Guidance
With this fine, the ICO is clearly indicating the seriousness it affords to the needs of companies to protect personal data, and the severity with which it intends to penalize those firms that are lacking in this regard. All firms need to ensure that they are in compliance with GDPR and other relevant data privacy regulations. Additionally, these safeguards are crucial toward portfolio companies holding customer personal data.
ACA Aponix recommends that firms:
- Review and heighten cybersecurity efforts toward protection of personally identifiable information
- Establish and review compliance programs with GDPR and/or other data privacy regulations
- Notify employees regarding the data breach, and suggest that if they were personally affected, they should close current credit card accounts and open new ones in their stead
How We Help
ACA Aponix can help your company reduce the risk of a data breach and avoid regulatory penalties. We offer the following services:
- GDPR gap analysis
- GDPR awareness training
- GDPR vendor diligence
- Cybersecurity and technology risk assessments
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Policies, procedures and governance
- Cyber incident response planning
- Mock regulatory cyber exams
- Threat intelligence
For More Information
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org