Skip to content

First GDPR penalty sees British Airways face £183m fine

The ICO has issued a notice of its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation (GDPR), highlighting the importance of being compliant.

The cyber incident was first notified to the ICO in September 2018. Although British Airways has not revealed any technical details about the breach, we know that the incident involved users of British Airways’ website being diverted to a fraudulent site. Through this false site, personal data of approximately 500,000 customers were compromised. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.

The penalty to be imposed on British Airways is the first one to be made public since the GDPR came into force last year and will be the biggest penalty the ICO has ever handed out. Under the new GDPR, the ICO can hand out a monetary penalty to a maximum of 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year. The British Airways penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.

British Airways has cooperated with the ICO’s investigation and has made improvements to its security arrangements since the breach. British Airways has 28 days to appeal the ICO’s notice of its intention to fine. The ICO will consider the representations made by the company and the other concerned data protection authorities before it takes its final decision.

The case brings home the potential risks and cost implications of a data security breach. You should make sure you are GDPR compliant, which includes having appropriate, technical and organisational security.

We will be running a series of workshops in the Autumn on how to handle your data and subject access requests, keep an eye out for further information coming soon.

If you have any questions or concerns about data protection or on the Data Protection Act 2018 or the GDPR more generally, please get in touch for an initial chat about any issues, and to find out how we can help.


Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking