By Patrick Wheeler

The recently reported data breach affecting British Airways customers highlights the importance for all businesses of applying and reviewing appropriate data security measures, which is one of the key principles of the GDPR.

It is rather surprising that it took over 2 weeks before the data breach was discovered, and this means that a very large number of customer transactions are likely to be affected. This breach will need to have been reported to the ICO within 72 hours of discovery. BA have already assessed the breach and decided to inform the data subjects. The ICO are likely to conduct a thorough investigation of BA’s security and if it is found wanting then it has the power to impose a fine of up to €10 million or 2% of BA’s worldwide turnover. If BA is found in breach of Article 5 GDPR, such that it did not ensure appropriate security of the data, including protection against unauthorised or unlawful processing, then the maximum fine could be doubled.