On Friday 16th October, the UK’s Information Commissioner’s Office announced its long awaited fine of British Airways for breach of the GDPR following a cyber-attack in 2018. The final fine of £20 million is the largest fine issued by the ICO under the GDPR, although it has been reduced from £183.39m.
Key takeaways for organisations include: (1) reviewing the checklist of security measures expected by the ICO included in the penalty notice; (2) having in place well developed and tested response plans so that incidents are escalated with the appropriate degree of urgency; and (3) understanding that the cost of breaches extends well beyond regulatory fines and includes litigation brought by data subjects (which for BA is working its way through the courts).
