The Information Commissioner’s Office (ICO) has announced its intention to fine British Airways £183.39m over the 2018 data breach involving around 500,000 of its customers due to “…poor security arrangements” (BBC). The figure amounts to 1.5% of the airline’s worldwide turnover and is the largest penalty to be announced since GDPR came into effect in May 2018. Does this mark a shift in the way the ICO and other European regulators will operate going forward?
A quiet 12 months has been interpreted by some as the ICO focusing on supporting businesses with embedding data privacy, alongside clearing a backlog of customer complaints. But the size of the British Airways fine suggests it’s starting to take a harder line on non-compliance, reinforced by the £99.2m penalty just issued to Marriot for a data breach in 2014, which affected 339m customers (BBC).
So will the ICO kick off proactive reviews in specific areas or sectors over the coming year?
Either way, public and private sector organisations are likely to come under increasing pressure to ensure they are supporting GDPR, as well as meeting ever-increasing customer expectations on data privacy.
As Elizabeth Denham (ICO Commissioner) said on 23 May 2018:
The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act, but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
Is your organisation committed to ongoing investment in its data privacy agenda? Do you have a clear roadmap on how data privacy will be embedded across your organisation? Or is data privacy just the tip of your data transformation iceberg? Find out more about Gate One’s Data Transformation services.