How we use cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us to improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our 'Cookies Page'.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. For more information on these cookies please see our 'Cookies Page'. The cookies collect information in an anonymous form.

Select your preference:

Analytics cookies



Wed 10 Jul 2019

People's personal data is just that - personal

People's personal data is just that - personal

In the first of the anticipated big fines imposed under the new data protection laws that came into force in May 2018, the ICO has issued a notice of intention to fine British Airways a record £183.39M for infringements of the General Data Protection Regulation (GDPR). British Airways now has the opportunity to make representations to the ICO in relation to the proposed fine prior to a final decision being made, not least on the basis that the company claims to have found no evidence of fraudulent activity on accounts linked to the breach.

The ICO’s investigation surrounded a cyber incident which involved user traffic to the British Airways website being diverted to a fraudulent site and resulted in the personal and financial information of approximately 500,000 customers being compromised. The investigation found that a variety of information was compromised due to poor security arrangements including log in, payment card, travel bookings, names and addresses.

Prior to the GDPR, under the Data Protection Act 1998, the maximum fine that could be imposed by the ICO for breach of data protection obligations was £500,000 and therefore this fine represents a stern wake up call for all organisations as to how seriously the ICO will be treating breaches of the GDPR. Under the GDPR, the maximum fine is 20 million Euros or 4% of worldwide turnover whichever is greater, with the British Airways fine representing 1.5% of its 2017 global turnover.

The ICO’s position in relation to the appropriate steps that all organisations must put in place to ensure that the personal data they hold on their customers and employees remains safe is now clear. As Information Commissioner, Elizabeth Denham said:

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”

All businesses and organisations therefore need to ensure that they are complying with their data protection obligations as it is not just the fines that can have an impact on a business but also the reputational damage, the cost of correcting the issue and the legal costs in dealing with and defending any claims brought by data subjects for breach of their data protection rights.

If you require any advice in relation to your data protection rights and obligations, particularly in relation to employees’ personal data, please contact Julie Edmonds, Head of Employment by email:,or by telephone 0207 644 7286 or contact her on LinkedIn.

more news

Bookmark and Share