The announcement of a £183 million fine for British Airways has brought into very sharp relief the sheer scale of the new fines that can be levied by the Information Commissioner under the GDPR rules. Despite this colossal fine, it was actually only a relatively limited use of the powers available to the ICO, representing only 1.5% of BA's turnover rather than the 4% it could have been.
However, the Commissioner has set a new baseline for the size of fines and Not for Profits have to take notice because the numbers are really eye-opening. For example, St John Ambulance has been praised for its response to a malware attack, but if it hadn't acted correctly and become subject to the same 1.5% fine as BA it would face a £1.46 million fine - a figure that should bring out any Board in a cold sweat.
Not for Profits have to face up to this danger and invest to make sure they limit the risk. The Commissioner has previously said she was lenient towards charities when she fined some because of their fundraising tactics, but that may not be the case in the future. The fine for British Airways shows we're operating in a new environment altogether.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. "That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."