Skip to main content

News story

July 28, 2019

Fines fly following airline cyber breach

The news that British Airways is facing a fine of £184m after personal data of some 500,000 customers was harvested by cybercriminals shows the tough stance of the UK’s data regulator following the introduction of new EU data protection laws last year.

The General Data Protection Regulation (GDPR) has seen stricter operating boundaries for businesses processing personally identifiable information about individuals, and it also ushered in extended powers for data regulators, which is the Information Commissioner’s Office (ICO) in the UK. Under the previous regime, the maximum penalty for a data breach was £500,000. Still, following the introduction of GDPR in May 2018, fines of up to €20 m or 4% of total worldwide turnover, can be imposed on businesses.

Robert Baugh, the CEO of Keepabl, recently wrote an article in the Modern Law Magazine highlighting the wider costs companies can face in remedying any breach. Baugh writes: “…the fines for the breach are likely to be dwarfed by other costs”, and in the example given, these costs outweighed a German company’s fine by 4 to 1.

For British Airways, unwitting customers were diverted from the real BA website to a fraudulent site. Still, even though the breach was not on their website, the investigation by the ICO found poor security arrangements by BA had compromised customer data, including login and payment details, as well as names and addresses.

Our Data Protection Leader, M. Qaiser Khanzada, explains:

“It’s up to BA to make representations to the regulator over the findings to see if they can demonstrate why the proposed fine should be reduced, but this is a clear sign that the ICO is not going to pull any punches over data breaches under the new regime.”

The aim of GDPR was to harmonise data protection across all EU member states, meaning that any UK business trading with EU citizens must comply now and after Brexit. It introduced a statutory obligation to notify the regulator of any breach which placed an individual’s personally identifiable information at risk, and the ICO has recorded more than 40,000 data protection complaints since the launch of GDPR, with 14,000 personal data breaches reported.

The Head of the ICO, Elizabeth Denham, has urged organisations to face up to the challenge and move beyond baseline compliance to accountability, with an evidenced understanding of the risks to individuals in the way they process data and focused attention on how to mitigate those risks.

Qaiser added:

“It’s a fast-changing environment. Just because you were confident about compliance when GDPR was introduced in 2018, doesn’t mean you can ignore the new guidance that’s coming through. Also, you need to take account of enforcement actions, to see where problems may arise.

And, although we still don’t know what’s happening over Brexit, what we do know is that whatever happens on that front, GDPR compliance will continue to be the minimum standard required of UK companies who wish to do business across Europe.”

Reviewing your GDPR compliance

Check your policies and procedures

Stress-test your processes on a regular basis, and review whether policies are clear and easily followed. If not, they should be revised and clarified. If your operations have changed, this could impact GDPR compliance, and policies need to be regularly updated to reflect recent changes, such as the guidance on transparency and consent from the European Data Protection Board.

GDPR refresher training

Regular enactments of mock data breaches can help keep GDPR at the forefront for staff and identify where changes may be needed. Whenever policies need to be updated, ensure refresher training is conducted with relevant staff and detailed development training for any frontline staff on data management. Regular training is one of the things that the regulator will be looking for if anything does go wrong.

Reporting

Staff should be encouraged to seek out, recognise and report data incidents, so make sure you have the right culture that encourages open reporting. The regulator wants prompt identification and reporting, as the longer it takes to identify a possible data breach, the more likely a situation will mushroom out of control.

Third-party relationships

If you transfer personal data through third parties, such as suppliers, or transfer it outside the EU for any reason, it’s important that all related contracts and processes comply with GDPR requirements.

Data Protection Impact Assessments

Ensure you understand the circumstances in which you must conduct Data Protection Impact Assessments. These are key to the GDPR philosophy of designing systems with privacy at their heart. They should be undertaken whenever data processing could pose a high risk to individual rights and freedoms. Guidance on the ICO website sets this out in detail.

For further advice and information, contact M. Qaiser Khanzada today.

Note: This is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Deal or no deal? Keeping negotiations on track
    How to keep commercial deals on track with Heads of Terms, NDAs and exclusivity, improving efficiency, reducing risk and avoiding delays.


    Read more

  • Rights and wrongs: How AI is reshaping Employment Tribunal claims
    AI may be a familiar presence in the workplace, but it’s now starting to appear somewhere less expected: the Employment Tribunal (ET). Grayson Stuckey explores this trend – and what it means for employers.


    Read more

  • Renters’ Rights Act: why process and paperwork matter more than ever for landlords
    The Renters’ Rights Act has now passed into law, marking one of the most significant shifts in the private rented sector in a generation. Most of the new measures will take effect in May 2026, with a national landlord database to follow later in th


    Read more

  • Understanding the Roles of Executors and Trustees
    When making a will, you place significant trust in those appointed to carry out your wishes. Executors and trustees are key roles, often held by the same people, but their responsibilities differ. Understanding these roles and their obligations helps


    Read more

  • Assigning or Subletting a Commercial Lease: What Tenants Need to Know
    This article explains the key differences between assignment and subletting, outlines the legal framework in England and Wales, and highlights the practical issues tenants should consider before taking action.


    Read more

What they say...

  • Paul Woodman, March 2026
    Will writing “Excellent service from start to finish. Efficient and good value. Charlotte was very professional, knowledgeable and understanding.”

  • Client, March 2026
    Great Service “Contacted RIAA to update my will and other things. Charlotte and James provided an efficient, friendly service, and the process was dealt with quickly. Much appreciated.”

  • Client, March 2026
    Expert knowledge and support “Pippa was invaluable in her insight, knowledge, and support. Through what is a very difficult time, she gave me hope that there is something to be done. Very solutions-oriented!”

  • Eve, March 2026
    Professional, compassionate and seamless legal support “I would like to express my sincere gratitude to Charlotte, Solicitor at RIAA Barker Gillette (UK) LLP, for the outstanding support she provided to my father during the creation of his will

  • Laura Kelly, February 2026
    Review of legal guidance received “I recently worked with Patrick Simpson on my settlement agreement. Patrick guided me through every stage with exceptional care and diligence. He kept the process moving efficiently, always updating me promptly

Read more
 
Send this to a friend