*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

BA £20 million fine by ICO – big deal or big flop?


On 16 October 2020 the ICO announced that it had fined BA (British Airways) £20 million for a GDPR data breach – the biggest-ever fine imposed by the ICO to date and one of the highest given out under the GDPR anywhere in Europe.

Cliff Richard might say that ‘congratulations and celebrations’ are in order (if you’re not BA that is), but hang on a min, the ICO originally proposed a fine of £183,390,000. That means BA ‘saved’ £163,390,000 – so maybe Cliff should be saying ‘congratulations and celebrations’ to them? What’s going on? Let’s start at the beginning (always a great place to start from).

One day in 2018 someone hacked into BA’s computer systems and accessed the personal data of more than 400,000 customers, including names, addresses, card number and CVV numbers, as well as the usernames and passwords of some BA employees and admin accounts.

Pretty bad, huh? Yep, but it gets worse – this went on for over two months before BA found out – by being told about what was happening by someone else…

On investigation, the ICO concluded that BA had breached its data security obligations under the GDPR and issued a ‘notice of intent’ to BA confirming its intention to impose a penalty of £183.39m. But BA didn’t just roll-over and pay up. Oh no – they got themselves some ‘legal eagles’ who filed lots of submissions (i.e. criticisms) that basically, claimed the fine was way, way too high.

And, as if by magic, the fine was reduced by nearly 90%! Amazing!

Now, going through the details for this dramatic fine reduction would be mind-numbingly tedious to anyone who isn’t a data protection lawyer, but the (very important) point is that the ICO got itself in a right sticky mess about how it went about calculating the original proposed fine.

Basically, the ICO relied on its (unpublished) ‘Draft Internal Procedure’ to calculate the proposed fine – which provided that the starting point for all fines should be turnover-based. This approach was strongly challenged by the lawyers acting for BA, which seems to have caused the ICO to adopt a different approach to calculating the amount of the fine – hence the very significant reduction.

So, what lessons can be extracted from this sorry tale (apart from ‘don’t get hacked’ and if you do, have things in place so that you know about it)? Well, probably the most obvious is a business accused of breaching the GDPR may be able to significantly reduce a fine by presenting strong mitigating arguments. As the ICO stated in the Penalty Notice, “the proposed penalty is less than the initial proposed penalty as a result of BA’s Representations”. This seems like code for ‘damn, those lawyers are hot stuff’ (errr, in the clever sense of the word).

Of course, there’s no getting away from the fact that this fine is still of a very significant amount and arguably represents a serious statement of intent from the ICO for its enforcement position going forward.

Still, you can’t but help think that the original proposed fine was just what the world was waiting for (looking forward to?) and that the huge reduction makes it seem (perhaps unfairly) that the ICO got its butt whipped.

Let’s see what happens to the ICO’s proposed £99 million fine on Marriott…

Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group