Donal O'Donovan: 'Massive fine bares the teeth GDPR has given data regulators'

Stock image

Donal O'Donovan Twitter Email

July 09 2019 02:30 AM

It could be worse - the massive £183m fine BA is facing could have been an even more massive £500m.

Its doubtful that's how it will be seen by managers at British Airways or its parent, IAG.

But its the reality. The General Data Protection Regulation (GDPR) that came into force across Europe last year dramatically raised the stakes for businesses of all sizes.

Google was slapped with a €50m fine earlier this year by French authorities under the same rules, but UK Information Commissioner Elizabeth Denham is the real wake-up call for industry.

The numbers look massive. British Airways is set for a fine equal to 1.5pc of its annual turnover, not the maximum 4pc, but it is still greater than the entire value of most companies on the Irish stock exchange.

Willie Walsh, the no nonsense head of BA parent IAG gave every indication he plans to fight the fine. He can hardly do otherwise.

BA can appeal, and surely will. Its lawyers are undoubtedly poring over every avenue to undo, mitigate or plead down the scale of the fine.

From BA's point of view, it was the victim of a crime, the only reason customers' data was leaked.

But the rules are clear, under the GDPR the onus is on data holders to protect the privacy of individuals, including from criminals.

The data lost by British Airways was undoubtedly sensitive - customer names, addresses, payment information including card number, expiry date and CVV security codes were all potentially compromised.

"That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights," said Elizabeth Denham.

Even if BA succeeds in pushing back the scale of the fine, Ms Denham's ruling will have succeeded in terrifying business leaders in Europe and beyond.