Big stick time with the ICO’s first major GDPR case

“Speak softly and carry a big stick” - Teddy Roosevelt

On 7 September British Airways disclosed the first major data breach to fall exclusively under the GDPR, the new European data protection law.

The UK information regulator, the ICO, must now respond and, though the ICO has taken a softly-spoken approach on enforcement to date, the scale and nature of the British Airways breach most likely heralds big stick time.

380,000 passengers’ personal and financial details were exposed by the security breach, including names, addresses, credit card numbers, CVV codes and so on. This reportedly unfolded against the wider context of British Airways seeking to outsource their security functions in August, presumably dissatisfied with their in-house efforts.

A correspondingly severe fine now looms in prospect for the airline. Under GDPR this could top out at 4% of global turnover and the numbers look fierce for the national flag carrier with potential liabilities easily surpassing €500 million.

To date the ICO has advocated a “softly, softly” approach to GDPR, drawing attention away from its substantial new fining powers toward developing a wider culture of data protection and privacy compliance. Education is the first critical component of any new regulatory regime so this approach must be applauded.

But a system of regulation goes beyond education. Regulators can only modify the behaviour of the regulated if they establish a meaningful fear of failure by consistently penalising those in breach. If the regulator fails to do so, the regime as a whole will collapse under its own inconsistencies.

The British Airways breach has placed the ICO in a position where it surely must penalise and which it would probably have hoped to avoid for a little while longer while it focused on education.

Considering the fundamental GDPR principle (security) in question and given the profile and scale of the breach, there appears to be little room for manoeuvre for the ICO which appears to have no choice now but to, however reluctantly, wield its very, very big regulatory stick.

About Ohalo

Ohalo builds tools to automate data governance. The Data X-Ray automatically classifies and scans unstructured and structured datasources for personal data, cutting down data mapping times from months to hours while also allowing organizations to fulfill data subject requests and redaction tasks with ease. Go to our plans page to sign up for a free account now.

Ohalo is not a law firm and does not provide legal advice. Nothing in this article or on the Ohalo website ( should be construed as legal advice.