Data protection laws in the UK were updated on 25 May 2018 when the General Data Protection Regulations (GDPR)  2018 came into force.   These changes were the subject of much media attention in the months leading up to the implementation of these changes.

Gradually we are seeing some developments in this area after a slow start and it is becoming clear that the Information Commissioner who deals with data protection breaches in the UK, is certainly not shy to flex its muscles in imposing hefty penalties on businesses who breach the Regulations.

This is evident by the reaction of the Information Commissioner who has imposed a staggering £183.4million fine on British Airways who suffered one of the worst cyber attacks seen in the UK.

This penalty represents 1.5% of British Airway’s worldwide turnover in 2017.   The Information Commissioner could have imposed a maximum penalty of 4% of turnover and so the penalty, although huge is not the maximum that could have been imposed.

What happened was that in June 2018, British Airways’ website was hacked and 400,000 British Airways customers who had used the website or their App to book flights had their personal bank/credit card details stolen.   It also came to light that it took British Airways over two weeks for these data protection breaches to be detected.

During the course of the investigation, a second data protection breach was detected which revealed that an additional 77,000 customers had their names, home addresses, e-mail addresses and card payment details including card numbers, expiry dates and customer’s unique CVV numbers stolen.

British Airways reported these data protection breaches to the Information Commissioner in September 2018 and now intend to appeal and fight its decision to impose this hefty penalty.

The CEO of British Airways –  Alex Cruz has stated ‘We are surprised and disappointed in this initial finding………British Airways responded quickly to a criminal act to steal customer’s data.  We have found no evidence of fraud or fraudulent activity on accounts linked to theft.’

Meanwhile, the Information Commissioner – Elizabeth Denham said ’ People’s personal data is just that – personal.  When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.  That’s why the law is clear – when you are entrusted with personal data you must look after it.  Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.’

It will be interesting to see if the appeal by British Airways is successful or not, and there is no guarantee that it will be.

The penalty imposed will also be split and paid to other EU Regulatory bodies and will not be used to compensate the victims of these GDPR breaches.   Individuals who have been affected by these GDPR breaches will need to make their own claims for compensation.

Clearly this shows that the Information Commissioner is not afraid to show its teeth where serious data protection breaches occur.   It is therefore imperative that all businesses take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and to have measures in place to prevent and minimise the impact of any incidents.

Steven Eckett is a Partner and Head of Employment at Meaby & Co and he can be contacted on 020 7 053 6506 or by e-mail