British Airways: ICO takes GDPR regulatory action

The ICO (Information Commissioner’s Office) announced today that it will be fining British Airways £183m for the website date breach it suffered last year.

I said at the time that a data breach on this scale and which lasted as long as this one did was certain to be significantly expensive for BA. The £183m fine (just 1.5% of the organisation’s 2017 global turnover) is at the bottom range of expectations.

In addition to the fine, and all the costs of dealing with and cleaning up after the breach, BA is still facing the possibility of one or more class-action suits from those who believe they suffered loss as a result of the breach.

Co-operating with the ICO after a data breach is an important part of limiting exposure to regulatory action – but it’s obviously much better not to have a breach in the first place!

However, that requires investment in cyber security, in PCI DSS (Payment Card Industry Data Security Standard) compliance and in GDPR (General Data Protection Regulation) compliance, something that too many boards and directors still think is unnecessary, because they’ve ‘never been breached’.

The reality, as report after report shows, is that all organisations suffer breaches and on a regular basis. Smart boards are therefore already taking action to ensure that their GDPR and PCI DSS compliance is in top shape, and that their investment in cyber security is proportionate to their actual exposure.

Don’t risk it – if you’re not already in cyber secure shape, today is not too late to make a start!