British Airways Fine – What does the Outsourced DPO think about it all?

By David Hendry

Two weeks ago the ICO published their rationale for levying fines for consultation and last week fined British Airways £20m for the June 2018 breach.  Opinions are mixed as to whether it is too low for company of BA’s size whose turnover in 2017 was £12.6bn from which they made £1.4bn profit.  A fine of £183m would have been 1.5% of 2017 turnover: the fine of £20m is 0.16%.  Being a breach of security the penalty falls both in the standard €10m or 2% maximum amount (SMA) as well as the €20m or 4% higher maximum amount (HMA) which is somewhat confusing!  The ICO’s matrix of penalty starting points classifies a 0.16% fine as of low seriousness and low/no culpability.

I fundamentally disagree with reducing fines for Covid.  Spreading the payments of a £183m fine would have been a better approach for a company like BA.  Shareholders should feel the impact so they put appropriate pressure on management to get on the front foot with data protection compliance.

Contact Us

Send us a Message

Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

Data Protection People Limited – March 2021