Five conclusions from the UK ICO’s British Airways fine


On October 16, the UK Information Commissioner (ICO) confirmed that it had fined British Airways (BA) £ 20 million for breaching the GDPR for recovering the personal information of around 400,000 of its customers following a breach in the Not protected in 2018.

The fine is the highest ever imposed by the ICO. The previous record was £ 500,000 in 2018 for two separate breaches of the now superseded Data Protection Act 1998.

The violation was caused by an attacker gaining access to the internal BA network using compromised third-party credentials. This access allowed the attacker to install malicious code on the BA website, which was used to filter out customer data such as credit card numbers, names and addresses.

While much of the coverage of the announcement has focused on the significant reduction in the fine from the £ 183 million originally announced last year, there are a number of more fundamental conclusions that can be drawn from the decision that are important for organizations to to be aware of it.

1. Preventive measures are key to avoiding penalties

In its defense, BA argued that it could not be held responsible for the activities of organized criminals who were involved in the attack. The ICO disagreed and emphasized that the reason for the sanctioning of BA was not that there was a breach of personal data per se, but that the company primarily did not take appropriate technical and organizational security measures to protect personal data of his customers.

This is an important distinction that organizations must be aware of. This means that being willing to respond to a breach and take immediate action to mitigate the damage caused by a data incident may not be enough to prevent sanctions from being imposed.

2. Security must be implemented by default

Taking into account the ICO’s reasons for the sanction, the primary focus of organizations should be that robust information security measures are in place and maintained to prevent personal data breach. Internal legal and compliance teams not only need to be involved in defining appropriate guidelines and standards for protecting data, they also need to work closely with the information security team to ensure that:

  • robust technical measures are implemented in practice,
  • These measures are documented and kept up to date
  • Risk assessments are continuously performed to identify critical systems and potential vulnerabilities that could pose a threat.

3. The ICO provides information on the expected security standards

For organizations that process significant amounts of personal data, the decision provides some useful guidance on the level of security measures that the ICO is likely to deem necessary.

First, the ICO went beyond its own regulatory guidance in interpreting the Article 32 requirement and made extensive reference to industry standards and technical guidance issued by various third parties in assessing the errors identified by BA.

A broad approach has also been taken in assessing the circumstances in which Article 32 applies. The ICO rejected BA’s argument that the obligation to take appropriate technical and organizational measures only applies to systems that process personal data. This means that companies must apply the same regulatory standard to all aspects of their network, which can pose a threat and lead to a personal data breach.

Finally, there were a number of technical measures that were highlighted as inadequate within the BA. The gaps found here, while case-specific, provide useful insight into the regulator’s expectations. They include:

  • Use of measures to detect security breaches (e.g. logging and scanning for code changes),
  • active management of supply chain risks and
  • the need for multi-factor authentication for remote access to an internal network via an external device.

4. How BA reacted to the incident was important in reducing the fine

While the sanction was imposed based on security flaws that existed prior to the incident, the steps the airline took in its response resulted in the fine being reduced by £ 6m (20% discount). These steps included immediately notifying data subjects, regulators and law enforcement agencies, BA’s full cooperation with the ICO during the investigation, offering to reimburse customers who suffered financial losses, and the remedial actions that have since been taken to improve the Security have been taken. This underscores the importance of organizations suffering from a data breach to take prompt action to respond to the incident, work with regulators and take proactive measures to reduce the damage being done to the data subjects concerned.

In practice and in view of the specific notification obligations set out in the GDPR, it is important to know how to react immediately after a data security incident. As more jurisdictions around the world adopt mandatory data breach notifications, making the right decision about who, when, and how to notify is likely to have a direct impact on the enforcement approach taken by regulators.

It is also important to note the attenuations that the ICO did not find relevant to considering quanta. She dismissed the importance of the criminal nature of the incident, noting that while none of the individuals concerned suffered financial damage, this was not a requirement for a fine to be imposed.

5. The ICO has changed the basis for calculating the fine

After the ICO published its letter of intent in 2019, BA questioned the basis on which the agency calculated the £ 183 million fine it was about to impose. His arguments included that the ICO’s use of an unpublished draft of an internal procedure to provide a guide to quanta in relation to controller sales was illegal. This resulted in the ICO changing the way the fine was calculated and was cited as one of the main reasons for reducing the amount to £ 20 million.

The change in ICO methodology resulted in the fine being calculated with reference to the agency’s external regulatory policy and the additional factors listed in Article 83 (2) GDPR. This provides welcome clarity as to what basis future fines should also be calculated on.