GDPR – British Airways Data Breach

GDPR – British Airways Data Breach

Branches maybe aware of the recent media coverage regarding British Airways facing a record fine of £183 million for a breach of its security system that took place last year. The breach resulted in the personal data of 500,000 BA customers being stolen. In addition Marriot Hotels faces a £99.2 million fine after hackers stole personal details of over 339 million customers. In the case of BA the ICO has stated that it is the largest penalty it has ever awarded and the first to be made public under the new rules.

Significant in the statement made by the ICO were the comments that “People’s personal data is just that; personal. When an organisation fails to protect it from loss, damage or theft, it is more than inconvenience.  That’s why the law is clear.  When you are entrusted with personal data you must look after it.  Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

As previously reported, penalties imposed by the ICO has increased to a maximum penalty of 4% of the organisation or company’s turnover. It is clear now that after a settling in period the ICO is starting to act and to act with purpose. The threats posed by the ICO are self evidently real and as such we must fully understand and appreciate the impact that such actions i.e. a fine would have in the event that such a fine was imposed on the CWU.

If a potential fine of the CWU was in line with the BA fine, this would amount to a sum of money in the region of £435K-£450K.

The penalty fine is divided up between other European Data Authorities while the money that comes to the ICO goes directly to the Treasury.  Therefore as a trade union we should be mindful about what level of “leniency” would be shown by the ICO to a trade union when the money would be handed directly to the Govt Treasury.

It is therefore both timely and extremely important to remind branches of their obligations to ensure any data they hold within their possession is properly secured.  If branches are unsure as to the protocol when mailing out correspondence to members, they should contact CWU headquarters and seek advice for our Data Protection Officer, Denis Lenihan ( However, the advice that was contained in LTBs 227/18 and 310/18 still stands and must be implemented and respected at all times, a copy of those LTBs are attached.

Any further enquiries to the LTB should be addressed to the SDGS’ department (

Yours sincerely,


Tony Kearns
Senior Deputy General Secretary

LTB 434.19 – GDPR – British Airways Data Breach


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: