News & Events

News & Events

Back To News

GDPR takes off with first UK fine handed to British Airways

Businesses would be forgiven for thinking that the GDPR has been asleep since its introduction just over a year ago. However, the Information Commissioner’s Office (ICO) has shown that it means business by announcing its intention to hand down its largest ever fine to British Airways for £183 million – its first fine under the General Data Protection Regulation (GDPR).

Just two days after this announcement, the ICO has flexed its muscle again by stating its intention to hand a fine of almost £100 million to Marriott International, the parent company of hotel chains including W, Westin and Le Méridien, which admitted that guests’ personal data records, including credit card details and passport numbers, had been stolen.

Under the ‘old’ data protection rules that pre dated GDPR, the maximum fine issued by the ICO was £500,000, which was handed to Facebook over the Cambridge Analytical scandal back in October 2018.

In the case of British Airways, the ICO’s investigation found that approximately 500,000 customers’ personal data was compromised by poor security arrangements. Whilst BA notified the ICO of the incident in September 2018, the ICO has said it believed the incident begin in June 2018, some three months earlier.

BA now has 28 days to make representations to the ICO on the proposed fine and actions; the ICO would then consider these before making its final decision.


Since the introduction of the GDPR on 25 May 2018, the ICO has had the authority to issue eye-watering fines up to a maximum of 4% of a company’s annual turnover. In light of its proposed fines for BA and Marriott, it looks like the ICO is not afraid to use this new power to wield shareholder-affecting penalties.

The ICO will, in our view, target the larger companies for lead fines but will also look at SMEs, which are bound by exactly the same rules – so it’s vitally important that businesses of all sizes ensure they understand the value of the personal data they hold, handle it sensitively and treat it with the utmost care.

For help and advice on ensuring your business is GDPR compliant, please contact our friendly commercial law team on 01482 325242

Contact Us

Let's keep in touch!

To receive regular updates such as newsletters, legal updates and invitations to upcoming events please fill in your details below.

I agree that Andrew Jackson Solicitors LLP will retain my details on its database, and may sometimes use the details in accordance with its Privacy Notice to send marketing materials to me.

    Type your search term above

    Please enter a search term above and we'll show you any matching pages.

    Call us

    Hull+44 (0)1482 325 242

    York+44 (0)1904 275 250

    Grimsby+44 (0)1472 267 770

    Scarborough+44 (0)1723 882 500

    We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the Andrew Jackson Solicitors LLP website. However, you can change your cookie preferences at any time through your browser settings. Click here to view our cookies policy.