The reference to an ‘exceptional expense of EUR 22 million in relation to the theft of customer data at British Airways’, buried in IAG’s half-year results, gives a tantalising insight into the amount that BA could be required to pay to close out the ICO’s long-running enforcement action into its 2018 data breach.

If that figure is anywhere close to being accurate, it will be both a win and a loss for the ICO. In most circumstances, a EUR 20 million fine would be seen as a victory for a regulator that has only issued a single fine under the GDPR, of EUR 320,000 against a small pharmacy. Indeed, it would also be the second highest GDPR fine of any EU regulator to date.

However, the figure is also significantly lower than the £183 million fine that BA was originally facing, which the ICO announced to much fanfare in June 2019. Going forward, it would also be surprising if organisations didn’t look to BA as an example of how to contest any intention to fine or penalty notice they receive in the expectation that it could also be reduced. 

No regulator wants to be seen as a soft touch, so businesses, lawyers and other regulators will be closely watching to see how the ICO publically positions the final BA penalty, whatever that may be.”