British Airways: Proposed GDPR Fine Likely to be Reduced


In July 2019, the Information Commissioner’s Office (ICO) signalled its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR).  Two Notices of Intent were issued with much fanfare.

One of the Notices was issued to British Airways for the eye watering some of £183 Million. This was the result of names, email addresses and credit card information being stolen by hackers from the BA website. According to the statement from the ICO at the time 500,000 customers were compromised in this incident.

Remember that this was a Notice of Intent and not a fine. After many months of delays and the coronavirus lockdown, we are now in a position to hazard a good guess as to the amount of the actual fine. Thanks to the reporting requirements for listed companies it is very likely that British Airways will be fined much less than the £184 million announced a year ago, and could be as little as 10% of that amount.

On 31st July, IAG ( British Airways parent company) issued its Interim Management Report for the six months ended June 30, 2020 which states:

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018. The process is ongoing and no final penalty notice has been issued“.

It will be interesting to see what happens to the other Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Watch this space!

This and other GDPR developments will be covered in our new online GDPR update workshopThe Lockdown is the perfect time to train your staff about GDPR and keeping data safe. With GDPR Essentials e learning course they can do this from the comfort of their own home. 


About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 17 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in GDPR, Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s