For Lawyers

GDPR, BA and £183m!!

British Airways was hit with a record fine of £183m yesterday for a Data Breach that happened in 2018. The breach compromised the data of about 500k customers. It was the sheer level of the fine that shook the world! The previous record fine was £500k that Facebook had to pay following the Cambridge Analytica scandal which affected many millions of users. So how have we got to an increase of £182.5m???

The rules on Data Protection changed dramatically in May 2018. In fact, the law itself is not greatly different from what it had been under the Data Protection Act 1998. There were some changes to the detail. The time for response to a date access request was reduced to one month. Data controllers are no longer allowed to make a charge. Despite this, nearly every business that has anything to do with customer data went to staggering lengths to adapt to the new rules. How many of us were bombarded with emails from suppliers asking us to sign up to new ‘GDPR’ friendly terms of business.

The single factor that concentrated the minds of companies was the eye-watering penalties for data breaches. There are two tiers. The lower tier sees a maximum penalty of €10m or 2% of annual turnover, whichever is higher. The higher tier sees of €20m or 4% annual turnover. If the intention was to make businesses take the new rules seriously then that goal was largely achieved!

When I have been training firms on GDPR I have tried to re-assure them that they are unlikely to face a €10m fine just because they leave a client’s mortgage offer on top of the drinks machine! And that remains the case. Many minor breaches are not even reportable if ‘the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’ (Art 33). But this decision cannot be ignored.

Organisations which handle data at the level of BA, Facebook, Talk Talk (fined £400k in 2014) do face the risk of penalties at this terrifying level. But the message to all businesses is that you must take Data Protection seriously. Information Commissioner, Elizabeth Denham said of the BA fine –

 "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."


This statement affects all of us. If we do not look after the data that we control, then we will pay the penalty. It may not wipe us out. It won’t wipe out BA. But it will not be painless.

We have had GDPR for just over a year.


Are you taking it seriously? Are your staff suitably trained? Are your systems robust and tested?