1. The staged regulatory process led to confusing misrepresentations in the press this morning. I am not sure who is doing the ICO or BA's PR for this, but no fine has been issued - we are at the 'notice of intent' stage, which allows formal representations (and there will have been dialogue before then). I cannot see the ICO walking away from a fine altogether, but the eventual amount may be lower (and if BA accept it, they will get an 'early payment discount'). More generally, BA has come in for criticism on their messaging at the time of the incident, and there are some in the data protection community that think the ICO should not publish widely details of notices of intent because it may affect the fairness of the resolution process (my reading of the statutory position is that in legal terms, it only needs to send the notice to the entity it intends to fine).
2. The ICO's earlier off-the-cuff line about 'not adding zeroes to earlier fines' may not be quite right... £183m, if issued, is a step change. Whilst the easy number to remember with GDPR was 20m Euros, the wording of the legislation allows the maximum fine to be up to 4% of global turnover, if higher. The proposed fine here is, I think, about 1-2% of BA's turnover, which is about £12bn. For high turnover, low margin businesses (or the public sector) this is a risk - although 'ability to pay' and 'knock on effects' are factors the ICO will take into account in setting the penalty.
3. ...but per affected data subject, the proposed fine is not so far removed from some earlier action (about £366 per person here, based on 500,000 data subjects). There were about half a million affected data subjects. Some high-impact incidents under the 'old' regime attracted far higher fines per affected data subject (for instance GMP losing some unencrypted DVDs of interviews with victims of crime). The BA incident was high volume/low potential impact in the great scheme of things - whereas GMP was low volume/high potential impact. A change in the regulatory regime from GDPR is better able to address such situations for large businesses engaging with lots of individuals.
4. Prevention will remain better than cure. I wonder how much BA spend on its cyber security position relative to £183m. An organisation that can show it has made heavy investment may influence the ICO's thinking at the investigations stage.
5. It isn't over yet. As regards the proposed fine, there is now a window for formal representations, and BA can then appeal against any eventual fine. Meanwhile, a class action suit is also in the offing - with some suggestions to the value of £500m (and accepting the fine will open the door wider on this). I think this case will also be a practice run for the ICO for their future GDPR enforcement strategy.
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).