British Airways is facing a £183.39 million (about $229.72 million USD) fine for failure to comply with the EU’s General Data Protection Regulation (GDPR)—the largest such fine levied so far. 

The fine comes as a result of the UK’s Information Commissioner’s Office (ICO) investigation into a 2018 British Airways data breach, which exposed the payment card records of hundreds of thousands of passengers. 

SEE: IT pro’s guide to GDPR compliance (free PDF) (TechRepublic)

The breach involved user traffic to the British Airways website getting diverted to a fraudulent site, where customer information including names, addresses, login information, payment card information, and travel booking details. 

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham wrote in a statement. “That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Since the breach, British Airways has cooperated with investigations and improved its security measures, ICO noted. The company will now have “opportunity to make representations to the ICO as to the proposed findings and sanction,” so the final fine could be lower, our sister site ZDNet noted.  

How to avoid a GDPR fine

GDPR went into effect in May 2018, and impacts any company that handles the data of EU citizens. Companies who fail to comply could be subject to a maximum penalty of up to £20 million or 4% of annual global revenue, whichever is higher. 

A number of organizations are now facing GDPR fines, including LaLiga (€250,000 or approximately $280,000 for app privacy violations) and Google (€50 million or $56 million USD). 

To avoid a GDPR fine, businesses that handle any EU data must ensure that they have a compliance strategy on the books. 

“The GDPR is real, enforceable, and applies to every business collecting, storing, and processing sensitive personal data,” TechRepublic’s Mark Kaelin wrote. “Compliance is not optional. Businesses risk significant, and possibly going concern ending, fines and penalties for non-compliance.”

For more, check out GDPR compliance tips and tools for business leaders on TechRepublic. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see