British Airways: Proposed GDPR Fine Likely to be Reduced


In July 2019, the Information Commissioner’s Office (ICO) signalled its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR).  Two Notices of Intent were issued with much fanfare.

One of the Notices was issued to British Airways for the eye watering some of £183 Million. This was the result of names, email addresses and credit card information being stolen by hackers from the BA website. According to the statement from the ICO at the time 500,000 customers were compromised in this incident.

Remember that this was a Notice of Intent and not a fine. After many months of delays and the coronavirus lockdown, we are now in a position to hazard a good guess as to the amount of the actual fine. Thanks to the reporting requirements for listed companies it is very likely that British Airways will be fined much less than the £184 million announced a year ago, and could be as little as 10% of that amount.

On 31st July, IAG ( British Airways parent company) issued its Interim Management Report for the six months ended June 30, 2020 which states:

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued“.

It will be interesting to see what happens to the other Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Watch this space!

This and other GDPR developments will be covered in our new online GDPR update workshopThe Lockdown is the perfect time to train your staff about GDPR and keeping data safe. With GDPR Essentials e learning course they can do this from the comfort of their own home. 


Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

%d bloggers like this: