Today’s announcement allows both parties to claim victory – even if it may ultimately prove to be pyrrhic. 

BA negotiated a 90% reduction in the ICO’s proposed penalty of £183 million and in the process has provided a playbook for other organisations to follow when they receive substantial regulatory fines.

For its part, the ICO can claim to have issued the fourth biggest GDPR fine to date whilst also putting companies on notice that it’s able to extract significant penalties for the type of event – large security breaches – that happen on a weekly, if not daily, basis in the UK.

Going forward, it’ll be particularly interesting to watch how today’s penalty impacts the related group litigation against BA in the UK High Court, given that the company has now admitted liability for its security failings.

At the same time, will the ICO reflect on lessons learnt and propose penalties which it can stand behind? Given BA’s relative success in this case, the ICO will be keen to avoid a repeat of the bruising, 15-month saga that led to today’s announcement.