British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Japan Adequacy Decision Adopted by the EU Commission

On 23 January 2019, the EU Commission adopted a decision confirming the adequacy of Japanese data protection laws for the purpose of transferring personal data from the EU to Japan in compliance with the international data transfer restrictions set out in Chapter V of the GDPR. Continue reading

Save the data: EU General Data Protection Regulation to apply from 25 May 2018

The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.

The European Commission published its first draft of the EU General Data Protection Regulation (the “GDPR“) in January 2012, a comprehensive reform of current the existing EU regime. In April 2016, after over four years of debate, the final text of the GDPR was formally approved.

The GDPR has now been published in the Official Journal (on 4 May 2016) and will enter into force on the 20th day following that publication (i.e. on 25 May 2016). There is then a two year implementation period, meaning that it will apply from 25 May 2018.

This eBulletin gives an overview of some of the key compliance issues for organisations in relation to the GDPR, including as to data security and sanctions which are not only relevant from a pure data protection compliance perspective, but also in the broader context of data issues and cyber security.#

Continue reading