BA fine £20m… post from Ian Warren

News and information from the Advent IM team.

Thank you to Senior Security Consultant, Ian Warren.

The final outcome of the BA data breach of 2018 has left many observers with mixed opinions. There is a perception of falling far short of expectations after £186m had been muted across the various media outputs; is this a partisan result? Protection for one of our flag bearer institutions?
Everyone saw this incident as the first real test for the new DPA18 and GDPR; how was the UK Supervisory Authority going to react? As I said, expectations were high and the outcome met with some critical comments suggesting an opportunity missed, but one has to ask if they actually read the ICO’s report?
The incorporation of GDPR into law as the UK put the DPA18 onto the statues was welcomed as the real deal; the means by which businesses would come under greater, more stringent scrutiny and potentially significant penalties for failure to comply with the rights of the individual in the application of appropriate measures for the protection of their personal information.
The BA incident highlighted monumental failings across the board and the ICO issued an early Notice of Intent to fine, giving BA time to respond and make representation.
The final outcome was reached after BA presented their response and, more crucially, once the ICO had consulted with their European counterparts. The fact that this incident crossed country boundaries required all affected Supervisory Authorities to have input, the ICO therefore took the role of Lead Authority given BA’s country HQ.
One of the significant factors in the end result has been the Covid-19 Pandemic. The ICO and the European partners have clearly taken into account the financial impact of this situation where the ability of BA to ‘pay and survive’ has been identified. It is little consolation for those affected; approximately £40 per individual breach. But the wider ramifications of the penalty, had it been much more severe as thought, could have been a potential business killer; it would, therefore, probably have had greater impact on those who support BA’s ability to operate.
Therefore, it’s fair to say that the ICO took a pragmatic, holistic viewpoint to ensure a strong message was given balanced on the impact of a more punitive figure; food for thought.

Share this Post