Two weeks ago the ICO published their rationale for levying fines for consultation and last week fined British Airways £20m for the June 2018 breach. Opinions are mixed as to whether it is too low for company of BA’s size whose turnover in 2017 was £12.6bn from which they made £1.4bn profit. A fine of £183m would have been 1.5% of 2017 turnover: the fine of £20m is 0.16%. Being a breach of security the penalty falls both in the standard €10m or 2% maximum amount (SMA) as well as the €20m or 4% higher maximum amount (HMA) which is somewhat confusing! The ICO’s matrix of penalty starting points classifies a 0.16% fine as of low seriousness and low/no culpability.
I fundamentally disagree with reducing fines for Covid. Spreading the payments of a £183m fine would have been a better approach for a company like BA. Shareholders should feel the impact so they put appropriate pressure on management to get on the front foot with data protection compliance.