Data Privacy Compliance Programme: Lessons Learned Following the ICO’s Intention to Fine British Airways £183m

This morning,  the UK Information Commissioner, Elizabeth Denham, announced her office’s intention to fine British Airways £183 million – 1.5% of global turnover – for the highly publicised security breach in September 2018 that led to the harvesting of an estimated 500,000 customers’ details. This represents a clear statement of intent on the part of the Information Commissioner’s Office (ICO) to use new powers, acquired under the introduction of the GDPR in May 2018, to rigorously enforce the privacy legislation.

Stay current on your favourite topics


Large scale fines had been mooted but many firms assessed that enforcement action at this scale was unlikely. This opinion was predicated on the ICO’s previous focus and the fact that it had rarely applied fines to the fullest extent of its powers (previously the largest fine being £500k) except in the most egregious cases. Consequently, many firms have short-cut compliance and focussed on cosmetic changes to policy and procedure.

The ICO’s statement clearly calls out BA’s failure to implement adequate security. The announcement stresses that the breach, which commenced in June 2018 but was not detected, or notified to the ICO, until September 2018, was the direct result of “compromised” security arrangements. The scale of the fine is a clear, consequential, warning to firms that fail to operate a holistic and integrated approach to privacy.

It is our assessment that a good percentage of firms have yet to:

  • Build performant and functional privacy functions (this is much more than just appointing a Data Protection Officer);
  • Fully grasp their enterprise data map and catalogue (structured and unstructured);
  • Implement acceptable levels of encryption, anonymisation and pseudonymisation;
  • Identify and remediate externally facing IT security risks as well as many internally facing risks such as Data Leakage Protection (DLP), access control and privileged access management;
  • Implement the right levels of monitoring and alerting and join these up with breach notification processes;
  • Invest in enabling technologies that can identify and mitigate risks but also reduce operating costs (for example, compliance with new subject rights).

Since 2017, Citihub Consulting has been leading some of the financial services sector’s largest data privacy compliance programmes. The concept of privacy is often siloed with accountabilities fragmented across corporate legal, lines of business, information technology, IT security, and compliance functions. In our assessment, effective privacy compliance requires an enterprise Operating Model that applies both a top-down view (governance, procedures and controls) with a bottom-up view (systemic analysis, compliance technology, and ITSec).

Designing and implementing defences for the critical systems and infrastructure of large financial institutions


Ian O'Hara

Ian O'Hara


Ian brings a wealth of cross-industry technology experience to our clients and specialises in the commercial aspect of IT, including a deep knowledge of the data centre and managed services industries around the world.