lessons from British Airways’ massive fine for GDPR breach



The UK’s data watchdog, the Information Commissioner’s Office announced earlier this month that it intends to fine British Airways £183.39 million following a cyberattack against its systems last year.

The data breach involved user traffic from the British Airways website being diverted to a fraudulent site, where personal data and credit card information of around 500,000 customers was harvested by attackers.  The Information Commissioner’s Office found this to be the result of poor security arrangements. It appears that there was a delay of around 3 months between the breach taking place and it being reported to the Information Commissioner’s Office, which may have contributed to the size of the fine.

what does it mean?

The massive fine demonstrates the seriousness of breaches of the European Union’s General Data Protection Regulations (GDPR), which came into force in Europe in May 2018.  It represents approximately 1.5% of British Airways’ worldwide revenue in 2017 (the maximum penalty under the GDPR is 4% of worldwide revenue).

The message is clear – if you are subject to the GDPR and do not treat your customers’ data with the utmost care and fail to follow the correct procedures, you can expect severe penalties if a data breach occurs.

The GDPR will apply to New Zealand businesses if:

  • they have operations located in the EU and process personal data of individuals in the EU (regardless of where this personal data is processed); or
  • they offer goods or services to individuals located in the EU (even if those individuals are not paying customers) or monitor the behaviour of individuals located in the EU (including through the use of cookies).

so what should you do?

carry out a data inventory

Carry out a data inventory to understand what personal information you collect and process, and your purposes for doing so.  You can’t design an appropriate data security strategy if you don’t know what personal information you hold.

If you operate a B2B e-commerce or marketing website, our GDPR privacy policy doc maker includes questions that help identify the personal information you are likely to collect and process, and the likely purposes for you doing so.

get familiar with your obligations under the GDPR

The Information Commissioner’s Office has an excellent guide at

review your data security

The GDPR does not define the security measures that you should have in place – it requires you to have a level of security that is appropriate to the risks presented by your processing.

You should look at what security measures are considered to be industry standard in light of the nature, scope, context and purpose of your data processing.  The ISO 27001 standard contains generally accepted guidelines for an information security management system and is intended to be applicable to all organisations, regardless of size, type or nature.  For specific types of data, other standards may be relevant – e.g. if you handle credit card data, you may be required to comply with the Payment Card Industry Data Security Standard (PCI DSS).

implement a process for dealing with data breach

Finally, you should have a process in place for dealing with a data breach.  Under the GDPR, you must report a data breach that poses a risk to people within 72 hours of becoming aware of it, even if you do not have all the details.

In New Zealand, there is currently no legal requirement to report a data breach.  However, the Privacy Bill currently before Parliament proposes mandatory notification where a privacy breach presents a risk of serious harm to an individual or individuals.

Whether or not reporting is required, handling a data breach well will help mitigate the damage to your reputation and your relationship with data providers.  The NZ Privacy Commission has useful guidelines and the Information Commissioner’s Office guidelines also include a section on data breaches, including a notification self-assessment tool.

explore our other blog posts

having a say on directors protecting their residential addresses

in a nutshell Submissions are now open for a bill that would allow directors of New Zealand companies to keep their residential addresses private if they have concerns about their own safety or the safety of someone they live with. We have worked with people who have legitimate safety concerns…

post-money convertible notes

Back in 2018, Y-Combinator (YC) updated their core investment instrument and launched what is now known as the post-money SAFE. We analysed the post-money SAFE back in 2020 – see our blog here The main difference between a pre-money and post-money SAFE is that, on conversion, under the pre-money…
[partial name="mailchimp-newsletter-horizontal" dir="template-parts/components/component"]

are you based in southeast asia?

If so then you may prefer