The landmark £183 million fine imposed on British Airways should come as no surprise and may represent only the beginning of more stringent data privacy regulation, according to Darren Wray, CEO at Fifth Step, a business management firm for the re/insurance industry.
The Information Commissioner’s Office (ICO) imposed the penalty on British Airways for non-compliance with new General Data Protection Regulation (GDPR) rules following a data breach last year that compromised the personal details of around 500,000 customers.
British Airways said it was “surprised and disappointed” by the size of the fine, which amounts to around 1.5% of the airline’s £11.6 billion global turnover last year.
However, the EU regulation allows for fines up to 4% of revenues, meaning British Airways could have been on the hook for almost £500 million.
The company argues that it collaborated fully with the regulator and responded quickly to what it considered “a very sophisticated, malicious” attempt to harvest customer data.
But the ICO has maintained that British Airways should have had better protections in place, especially considering it was subject to a previous breach in 2017.
According to Fifth Step, 206,326 cases of cyber breaches were reported throughout the EU in 2018, of which 52% are now closed, 47% are on-going and 1% are to be appealed. British Airways has stated that it intends to appeal the ICO’s decision.
Wray contends that similar incidents have the potential to be even more damaging in future when data protection regulation in the U.S comes into force on January 1 next year.
These new rules could see organisations being fined or sued in multiple jurisdictions for the same breach.
California is the first U.S. state to pass an act that requires companies and employers to comply with data privacy and protection requirements under the CCPA privacy regulation, and Washington, New York and others are set to follow.
Wray warned that this is only the beginning for global data privacy regulation, suggesting that in a few years time businesses could be looking back fondly on the days when fines totalled in the low hundreds of millions and didn’t include nearly as much time in court or lawyer’s fees.