British Airways Fine – What does the Outsourced DPO think about it all?

Two weeks ago the ICO published their rationale for levying fines for consultation and last week fined British Airways £20m for the June 2018 breach.  Opinions are mixed as to whether it is too low for company of BA’s size whose turnover in 2017 was £12.6bn from which they made £1.4bn profit.  A fine of £183m would have been 1.5% of 2017 turnover: the fine of £20m is 0.16%.  Being a breach of security the penalty falls both in the standard €10m or 2% maximum amount (SMA) as well as the €20m or 4% higher maximum amount (HMA) which is somewhat confusing!  The ICO’s matrix of penalty starting points classifies a 0.16% fine as of low seriousness and low/no culpability.

I fundamentally disagree with reducing fines for Covid.  Spreading the payments of a £183m fine would have been a better approach for a company like BA.  Shareholders should feel the impact so they put appropriate pressure on management to get on the front foot with data protection compliance.