The ICO has the power to impose a fine of up to 4% of a business’s worldwide annual revenue. The BA fine, although eye watering, is only approximately 1.5% of the airline’s annual revenue, a long way short of the maximum 4% level.
This asks the question - did the ICO conclude the cause and/or the impact of the loss of personal data by BA not as severe as some of the scenarios envisaged. Perhaps the loss of personal data in medical records, rather than credit card information would attract a higher %, or perhaps the ICO considered the speed at which BA responded and subsequently co-operated with the investigation should be reflected in the % applied.
The introduction of General Data Protection Regulation (GDPR) has had some of the desired effects; data owners and processors have reviewed their approaches and changes have been made. But it’s to be expected that the regulator should demonstrate its powers in its first few years - the key question now is when we’ll see a maximum 4% fine being applied and why, as opposed to whether it will be applied.