Briefings

ICO makes its mark with first large GDPR fine

The UK Information Commissioner's Office (ICO) made history yesterday by announcing its intention to fine British Airways a painful £183.39 million for a data breach that occurred last year.

This will be the ICO's first substantial fine under the EU General Data Protection Regulation (GDPR). We understand that before making its final decision, the ICO will consider representations from British Airways, and from other data protection authorities.

HFW's comment

The ICO has a global reputation for being a business-friendly regulator. That said, it does take its enforcement responsibilities seriously. Cyber security is an increasingly pressing issue. This fine (assuming that it is confirmed) provides a concrete example of the ICO's focus on security of personal data, and its willingness to use its powers to make an example.

It is also a wake up call. Cyber events and their consequences can affect even reputable and responsible organisations. Make sure that yours has in place the best security that it can afford, and that its cyber response procedure is honed and agile: you may have to use it.

More analysis to follow: watch this space.