• by Sean Hargrave , Staff Writer, July 8, 2019

You can argue about the accuracy of a statement that suggests this is the first time GDPR has been swung into meaningful use, but you most definitely have to agree that this is certainly going to be the big fine levelled at a huge name that will go down as the moment when the new law suddenly became very real. If Kodak is the brand name associated with not moving with the digital times, BA will now be forever the poster child of what happens when GDPR bites. 

Regular readers will remember I've been telling digital marketers that although a massive GDPR fine would be a major brand issue, it was always more likely that the big fines would come from IT issues, not accidentally sending someone an email who had asked not to be contacted.

That is exactly what we have here. It would appear that last June, some cyber criminals managed to trick people into going to a fake site where their personal information was harvested.

The details have not been revealed, but it is fair to assume that cybercriminals syphoned off traffic from BA's own site. This doesn't appear to be a spoofed site -- one of those domains that looks similar enough to trick people into clicking on it. For that level of fine, it would have to have been a link from the BA site that was taken over.

As a result, 500,000 people had their personal information compromised. The ICO does not state whether or not this included financial details, but has criticised BA for having poor security around both its log-in and payment facilities.

There are two major issues at play here that aren't really being covered in the press. The first is that, as the ICO points out, it is working on behalf of the data regulators across Europe. The good old days before GDPR are long gone. Then, you could be helpful and expect a fair hearing and a regulator that would give you the benefit of the doubt. The system is now EU-wide and not as flexible, even if a regulator truly believes it was an honest mistake. 

The second is that despite this situation, the ICO is pointing out that the GBP183m fine is what it intends to issue -- and that BA is welcome to make the case for why this should be reduced. Even so, as the statement from the ICO makes clear here, it will still be listening to other data regulators as well. BA can make its case but then so can data regulators in every other EU country.

This is how the authority signed off its statement on the proposed fine. "The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision."

So there is some wiggle room there for BA to get a reduction. It has said it is "disappointed" with the level of the proposed fine. Reading between the lines, the airline is thinking that as in the days before GDPR, coming forward to reveal a data hack and then fixing it, with a warning to affected customers, was enough. Clearly that is no longer the case.

In addition to the doom-and-gloom talk that preceded GDPR becoming law, I always felt the most interesting aspect would be cybercrime. Several experts warned me at the time that the new law would straightjacket our own ICO into acting on behalf of all regulators and that would mean an end to leniency being offered to those who did the decent thing, as BA did, and came forward to admit a problem and fix it. 

The airline has been fined around 1.7% of its annual turnover, and as we all know, GDPR could have taken this to a maximum of 4%. The ICO will claim, then, that it has cut the airline some slack for handling the breach responsibly, but will probably come back to its accusation that BA should have done more to protect its customers' data.

So don't expect that fine to change considerably, if at all, although BA will obviously do all it can to get a reduction.

The takeaway for marketing? Brand image suffers when people lose trust in a company's ability to protect data, just as with Talk Talk. That means GDPR isn't only about marketing, but also cyber security. The sting in the tail was always going to come through protecting data from misuse.

GDPR always was -- and always will be -- about cyber security, as it is the legal basis for processing customer data.