Jul 82019

UK ICO Issues Largest Ever GDPR Privacy Fine of £183m ($228m)

William RM Long, Wim Nauwelaerts and Francesca Blythe
, , , , ,

Today we saw the ICO issue a notice of its intention to fine British Airways £183.39m for infringements of the GDPR – a record fine and the largest seen in the UK and the EU. The proposed fine relates to a cyber incident which BA notified to the ICO (as BA’s lead data protection authority, DPA) in September 2018. The incident involved the theft from the BA website and mobile app of personal data relating to customers over a two-week period. In terms of next steps, BA now has an opportunity to make representations to the ICO as to the proposed findings and sanction.

This action by the ICO demonstrates that they are prepared to enforce the GDPR and levy significant fines. Ensuring that a company is properly prepared for and responds to privacy and cyber security threats is a key corporate governance responsibility for directors and senior officers. Whilst it may not be always possible to prevent a cyber incident, other companies should be learning from this high profile enforcement action seen today and take steps now to mitigate the impact of a cyber security incident and potential breaches of the GDPR. Key aspects for companies to consider include:

  • Conduct regular testing, for example, periodic attack and penetration testing, or other similar testing to assess cyber risk preparedness.
  • Develop and carry out regular training to different groups to communicate expectations in respect of breach, prevention identification and reporting including senior managers with regular practical table top exercises which run through and practice dealing with hypothetical cyber incidents.
  • Maintain an asset inventory of key information and data systems to assess how the business can be impacted by cyber threats.
  • Maintain clear processes and guidelines for an incident response including a data breach response plan.
  • Carry out a gap assessment of existing cyber security policies and procedures against information security regulatory requirements in the EU, US and elsewhere.
  • Engage in information threat sharing to anticipate general and industry specific threats.
  • Maintain an inventory of key vendors to identify potential third-party risks.
  • Maintain a log of incidents and breaches and lessons learned to identify and prevent recurring incidents and potential vulnerabilities.

In addition, we will expect the GDPR to be used by individuals to recover damages for both financial and non-financial loss, and also be used in business-to-business litigation. And, the GDPR, unlike with regulatory fines, does not cap damages that may be recovered by individuals or organizations that deploy the GDPR in litigation. Because of these potential liabilities, many of our clients are disclosing the GDPR as a key risk factor to their regulators, shareholders and other stakeholders.

William RM Long

London

wlong@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.