The EU’s General Data Protection Regulation (GDPR) Bites British Airways
The EU’s General Data Protection Regulation (GDPR) Bites British Airways

Companies are being fined for failure to detect and remediate persistent  data breaches.


The EU’s General Data Protection Regulation (GDPR) legislation issued its first record-setting fine – $230 million – against British Airways (BA) for its failure to protect 500,000 individual’s payment card data.

The proposed fine is equal to 1.5 percent of BA’s 2017 revenues (the breach occurred in Sep. 2018). While the fine is less than the limit allowed by GDPR (four percent) and because of the “one stop shop” provisions of GDPR, the airline will not face any additional EU fines. Nonetheless, this is a wake-up call that regulatory agencies are willing to aggressively prosecute firms that fail to provide adequate levels of privacy protection as defined by their regulations.

It has been little more than 13 months since GDPR went live.

Small business owners and enterprises have spent significant time and energy trying to become compliant, but all indications are they still have a way to go. Prior to the BA fine, there had been 206,326 cases of breaches and complaints reported so far, and about $63 million in fines issued, according to the European Data Protection Board.

Only about half of the cases have been completed and closed to date so we can expect the value of the fines to increase significantly.

BA’s Lax Security

According to an investigation by Britain’s Information Commissioner’s Office (ICO), British Airways experienced a data breach that rerouted customers to a fraudulent site designed to steal their payment card data.

The fake site enabled the hackers to harvest the personal data of approximately 500,000 BA customers over a period of more than three months (June to Sep. 2018). The ICO stated that the severity of the fine is not because the airline suffered a breach but because of BA’s poor security posture at the time of the breach.

The report claims “the ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

BA and its parent company, International Airlines Group, plan to appeal the fine. BA has already made a number of security improvements and has apologized for the breach. The airline also noted that to-date there is no evidence of fraud or fraudulent activity at accounts linked to the hack. But no one knows what the future will bring.

Other Year-on GDPR Findings

Recently, the UK’s ICO announced it was fining Marriott $125 million for its failure to detect and remediate a data breach that persisted for four years.

The breach occurred in the now-discontinued Starwood reservation system – prior to the Starwood hotels being acquired by Marriott. While the total exposure was 339 million guest records globally, it only included 30 million Europeans. Thus, the fine represents just 0.6 percent of its 2017 revenues.

Moreover, if 10 percent of the total number of guest records were California residents, then the potential penalty due to the California’s Consumer Protection Act (CCPA) were in place at the time of the failure could be $300 million or more.

Enterprises have a long way to go before they are fully compliant with GDPR regulations – not to mention CCPA and other international privacy legislation. The largest exposure likely comes from secondary usages of privacy data, which in most cases has not be authorized or approved by consumers.

These derivative use cases are applications such as analytics and marketing applications. The best example of this type of exposure is Facebook’s $5 billion fine by the U.S. Federal Trade Commission for mishandling user personal information.


GDPR (more specifically the penalties) has moved privacy compliance from the hidden confines of the back office to the Board room.

As more and more materially significant fines are announced  small business owners and IT executives can expect  Board members to pay more attention to the privacy risk exposures and demand more information. Furthermore, small business executives need to be more attentive to the fact that there are many more customer databases and applications in existence than companies realize, which could come back and bite them at a later date with even more fines.

Compliance with GDPR and the patchwork quilt of privacy laws will not be an inexpensive endeavor, especially since privacy definitions, requirements, and enterprise obligations differ by regulation.

Small business owners and IT executives, and Board members, must understand the business obligations created by GDPR, other privacy laws, and increased federal oversight, and determine the budgetary requirements needed to comply with each of the consumer rights and associated business responsibilities.

Since zero compliance risk is not a reasonable expectation, small business owners  need to also determine what funds and resources are needed to achieve an acceptable level of risk.

Related articles:


The Protection of Consumers’ Online Privacy: A Revolution in Rights

The Protection of Consumers’ Online Privacy: A Revolution in Rights

The seven elements of the Consumer’s “Privacy Rights?” In our last article, we discussed the revolutionary changes in privacy law that have occurred in the last few years stemming from the advent of the European Data Protection Regulation (“GDPR”) and the recent...

AI and Web3: Unleashing the Power of Decentralized Intelligence

AI and Web3: Unleashing the Power of Decentralized Intelligence

The fundamental definitions of AI and web3 as they stand today By now you have probably heard a lot about the pros and cons of Artificial Intelligence or AI and Web3. In this article, we will explore the relationship of AI and Web3, its implications across various...

Must Know Artificial Intelligence Insights for Small Business

Must Know Artificial Intelligence Insights for Small Business

Sorting out 5 AI-related terms and summary of the key AI players. It is difficult to avoid hearing all the noise screaming that new Artificial Intelligence (AI) tools are “game-changers” for the world. Let's begin by exploring 5 AI-related terms populating news and...

Video Gallery


Sign Up for the Latin Biz Today Newsletter

PR Newswire

Featured Authors






My Unusual Path to Launch a New Business

My Unusual Path to Launch a New Business

Understanding the value of stepping away from a large corporation to build my Hispanic business This is my entrepreneurial story. Like many Hispanic businesspeople Fortune 500 companies are great to work with until they interfere with your core values. That's the...






Work, Life & Culture


Health & Fitness

Travel & Destinations

Personal Blogs

Pin It on Pinterest