British Airways' GDPR fine shows regulators are getting serious

Just over a year after the EU’s GDPR came into force, we’ve reached a landmark moment: the first large-scale penalty has been announced, with British Airways facing a fine of £183 million (on the day the fine was announced, equivalent to just short of $228 million) for a data breach disclosed by the company in Sept 2018.

The breach occurred when users of BA’s website were redirected to a fake site, which compromised the personal data of around 500,000 of them. It’s the largest GDPR-related fine so far , and the UK’s data protection body, the Information Commissioner’s Office (ICO), imposed it based on 1.5% of BA’s 2017 worldwide revenue.

Whether BA succeeds in appealing the level of the fine remains to be seen, but this is huge news on every level. Not only does it illustrate the willingness of regulators to impose massive fines for massive data breaches, it also reminds us that this situation could be just the tip of a financial iceberg. Everyone who has followed and written about GDPR has speculated about the huge level of financial penalties that are possible, given the maximum upper limit of 4% of worldwide revenue.

Simon Dawson/Bloomberg

So, the bigger the company, the bigger the potential fine. BA is part of IAG, one of the world’s largest airline groups, and brought in global revenues of $16.5bn in 2018. Yet, IAG sits at ‘just’ number 428 on the Forbes Global 2000 list. There are 15 companies on that list with annual sales of over $200 billion, for example. A fine for any business of that size, set at the levels now faced by BA, comes out at a truly mind-boggling $3 billion+.

It’s perhaps now irrelevant to ask whether the mere prospect of heavy regulatory penalties has been changing corporate behaviour over the past year or not. As the BBC put it, the level of the fine will send “a shiver down the spine of anyone responsible for cybersecurity at a major corporation.” Its announcement also draws a new line in the sand for everyone, and corporations now have some real numbers to work with. Anyone working under the assumption that regulators wouldn’t wave their big stick can no longer be in any doubt.

Business leaders need to ask themselves whether they are content to live with the jeopardy of data protection fines running into the potential nine figure bracket, or whether it’s more prudent to invest a fraction of that total on better cybersecurity procedures and technologies.

And there’s more to come. With new data privacy legislation arriving on an international and local level, the emphasis on corporate responsibility and accountability has been transformed. The California Consumer Privacy Act (CCPA), for example, becomes effective on Jan 1, 2020. Breaching these regulations allows citizens of California to sue for up to $750 for each violation, and the state attorney general can sue for intentional privacy violations of up to $7,500. With the scale of recent data breaches affecting millions of consumers at a time, the potential for companies to face extremely large penalties is clear.

According to a recent report in the Financial Times, talks in the US Senate to create the first national data privacy law have stalled, “as senators argue over how strict the bill should be.” But with draft bills in circulation, with a new class of representatives recently sworn into Congress and the CCPA effectively putting a deadline on the debate, there may finally be a national resolution to the US consumer data privacy problem.

In the near future, global data breaches could be pursued by multiple regulatory authorities and private citizens alike. Subject to appeal, the size of the BA penalty has set a level against which all future data breach fines will be judged. Who’s to say that within a few short years, articles covering the "Top 10 GDPR Fines" won’t show that BA’s experience ends up being well down the list?